North Korean hackers hit 3,100+ IPs in AI, crypto, finance job scam

After snipping over $2 billion from the crypto market in 2025, North Korean hackers are back with a fake job recruitment campaign executed by a group known as PurpleBravo.

North Korean-linked hackers have launched a cyber espionage on more than 3,100 internet addresses tied to companies in artificial intelligence, cryptocurrency, and financial services, according to new threat intelligence findings by Recorded Future’s Insikt Group. 

PurpleBravo was spotted using fraudulent job recruitment processes and developer tools embedded with malicious software. Per Insikt Group’s assessment, 20 victim organizations have been identified so far from South Asia, North America, Europe, the Middle East, and Central America. 

North Korea launches fake recruitment interviews malware campaign 

As explained by Insikt Group, the “Contagious Interview” campaign features bad actors who pose as recruiters or developers and approach job seekers with technical interview exercises. At least 3,136 individual IP addresses were targeted during the monitoring period, the security analysts said.

The attackers presented themselves as crypto and technology firm representatives, requesting that candidates review code, clone repositories, or complete coding tasks. 

“In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” the threat intelligence firm wrote in its report.

The operation has several aliases in both private and open-source insights on North Korea hackers, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. 

The cybersecurity group also mentioned that the hackers used Astrill VPN and IP ranges to administer China-based command-and-control servers. Meanwhile, 17 service providers hosted malware like BeaverTail and GolangGhost servers for them.

Luring victims with personas, GitHub, and Ukrainian cover stories

Insikt Group spotted four online personas linked to PurpleBravo, following an investigation into malicious GitHub repositories, social media chatter on crypto scams, and a hacking network intelligence service.

According to the report, these profiles consistently presented themselves as being based in Odessa, Ukraine, while targeting job seekers from South Asia. Insikt said it was unable to determine why Ukrainian identities were used in the ruse. 

In one of the fake programs, hackers used a website advertising a token based on a food brand. However, researchers could not establish a verified connection between the coin and the company it referenced. Scammers, automated bots, and malicious links populate the project’s official Telegram channel. 

Moreover, the operation also featured two related remote access trojans, PylangGhost and GolangGhost. The malware families are multi-platform tools that share identical commands and automate the theft of browser credentials and cookies.

GolangGhost is compatible with several operating systems, but PylangGhost only works on Windows systems and can bypass Chrome’s app-bound credential protection for version 127 and later.

Insikt Group found Telegram channels advertising LinkedIn and Upwork accounts for sale, with the sellers using proxy services like proxy-seller[.]com, powervps[.]net, residentialvps[.]com, lunaproxy[.]com, and sms-activate[.]io, and virtual private servers to hide their locations. The operator was also seen interacting with the cryptocurrency trading platform MEXC Exchange.

VS Code backdoors on Microsoft Visual Studio

On Monday, Jamf Threat Labs reported that North Korea-linked actors have developed a weaponized version of Microsoft Visual Studio Code that can find backdoors in systems. The tactic was first identified in December 2025 and has since been refined, the security analysts said.

According to Jamf security researcher Thijs Xhaflaire, the attackers can implant malware that grants remote code execution on machines. The infection chain begins when a target clones a malicious Git repository and opens it in VS Code.

“When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system,” Thijs Xhaflaire wrote.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program