North Korean hackers target crypto job seekers with malware

North Korean hackers, Famous Chollima, targeted crypto experts with fake job interviews designed to steal their data and deploy malware on their devices. The malware stole credentials from over 80 browser extensions, including password managers and crypto wallets like Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.

On Wednesday, threat intelligence research firm Cisco Talos reported that Famous Chollima posed as legitimate companies and directed unsuspecting victims to skill-testing websites where victims entered personal details and answered technical questions.

The skill-testing sites falsely fronted real companies like Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap, and others, which helped with the targeting. 

Only a few users, predominantly in India, were affected based on open-source intelligence. Dileep Kumar H V, Director at Digital South Belief, advised that to counter these scams, India should mandate cybersecurity audits for blockchain corporations and monitor fake job portals. He also called for stronger global coordination on cross-border cybercrime and digital consciousness campaigns.

Talos follows up on the scam and confirms a North Korean connection

🚨 𝗔𝗟𝗘𝗥𝗧: 𝗡𝗼𝗿𝘁𝗵 𝗞𝗼𝗿𝗲𝗮𝗻 𝗵𝗮𝗰𝗸𝗲𝗿𝘀 𝗮𝗿𝗲 𝘁𝗮𝗿𝗴𝗲𝘁𝗶𝗻𝗴 𝗯𝗹𝗼𝗰𝗸𝗰𝗵𝗮𝗶𝗻 𝗽𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀 𝘄𝗶𝘁𝗵 𝗻𝗲𝘄 𝗶𝗻𝗳𝗼-𝘀𝘁𝗲𝗮𝗹𝗶𝗻𝗴 𝗺𝗮𝗹𝘄𝗮𝗿𝗲

𝗗𝗶𝘀𝗴𝘂𝗶𝘀𝗲𝗱 𝗮𝘀 𝗳𝗮𝗸𝗲 𝗰𝗿𝘆𝗽𝘁𝗼 𝗷𝗼𝗯 𝘀𝗶𝘁𝗲𝘀 — 𝗯𝗲 𝗰𝗮𝗿𝗲𝗳𝘂𝗹… pic.twitter.com/wt4pe5o1Zg

— Mayank Dudeja (@imcryptofreak) June 20, 2025

Cybersecurity research firm Cisco Talos claimed that the new Python-based remote access trojan called “PylangGhost” linked malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole.”

The firm also disclosed that the PylangGhost malware was functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities. Famous Chollima used the Python-based variant to target Windows systems, while the Golang version targeted macOS users. Linux systems were excluded from these latest attacks.

According to Talos, the threat actor group has been active since 2024 through several well-documented campaigns. These campaigns included using variants of Contagious Interview (aka Deceptive Development) and creating fake job advertisements and skill-testing pages. Users were instructed to copy and paste (ClickFix) a malicious command line in order to install the drivers necessary to conduct the final skill-testing stage.  

Candidates in the latest scheme uncovered in May were instructed to enable camera access for a video interview and prompted to copy and execute malicious commands disguised as video driver installations. Thus, they ended up using PylangGhost in their gadgets. The execution started with the file “nvidia.py,” which performed several tasks: It created a registry value to launch the RAT every time a user logged onto the system, generated a GUID for the system to be used in communication with the command and control (C2) server, connected to the C2 server, and entered the command loop for communication with the server.

According to Cisco Talos, “Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.”

Talos observed that, other than stealing funds straight from exchanges, Famous Chollima hackers lately focused on crypto professionals to collect information and possibly infiltrate crypto firms from inside. Earlier this year, North Korean hackers established fake U.S. companies, BlockNovas LLC and SoftGlide LLC, to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.

North Korea emerges as a hub for notorious hacking schemes

In December 2024, the $50 million Radiant Capital hack began when North Korean DPRK actors posed as former contractors and sent malware-laden PDFs to engineers. The impersonator(s) shared a zip file under the guise of asking for feedback on a new project they were working on.

A joint statement from Japan, South Korea, and the U.S. also confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple crypto heists in 2024. The envoys noted that North Korea’s overseas workers, including IT specialists engaged in “malicious cyber activities,” were a major factor in the regime’s ability to finance its weapons programs through the theft and laundering of funds, including crypto.

Chainalysis VP of investigations Erin Plante confirmed that North Korea-linked hackers were by far the most prolific crypto hackers over the last few years. In 2022, they shattered their own records for theft, stealing an estimated $1.7 billion worth of crypto across several hacks, up from $428.8 million in 2021.

However, in May, crypto exchange Kraken revealed that it had successfully identified and thwarted a North Korean operative who had applied for an IT position. Kraken caught the applicant when they failed basic identity verification tests during interviews.

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage