If you are applying for jobs in the crypto or blockchain industry, be careful. North Korean hackers are pretending to be employers and tricking applicants into installing malware on their devices.
According to a new report from Cisco Talos, a North Korean group known as Famous Chollima has been running this campaign since mid-2024. The group is mainly targeting people in India who have experience in cryptocurrency, blockchain, or related technologies.
The hackers are setting up fake companies and job portals. They invite real candidates, software developers, designers, marketers, and others, to visit skill-testing websites that look like they belong to companies such as Coinbase, Robinhood, Uniswap, and Archblock.
After answering a few questions, applicants are asked to record a video interview. To do this, the site asks them to copy and paste code into their system, which secretly installs malware. The malware, called PylangGhost, can steal saved browser passwords, session cookies, and data from browser extensions. It works on both Windows and macOS. Malware also gives hackers long-term access to the infected device, even after the person gets hired at a real company.
The hackers use a technique called ClickFix, where they show fake error messages and trick users into running harmful commands.
It is important to note that this is not the first time cybercriminals have targeted job seekers. Back in March, I covered a similar attack by Russian hackers who used fake interviews to steal crypto wallet credentials. Now, the same kind of social engineering is being used by North Korean hackers — this time targeting Indian applicants.
If you are job hunting in the crypto space, be cautious of unknown companies or job offers that sound too good. Never copy and paste unknown code into your terminal.
This is just another reminder that even job applications can be dangerous in the crypto space. Stay alert and protect your data.
