Seoul, September 4, 2025 — A growing cyber threat is targeting professionals in the cryptocurrency sector: North Korean hackers are posing as legitimate recruiters to trick victims into downloading malware and stealing digital assets.
Security firms SentinelOne and Validin, working with international media, have uncovered an operation dubbed “Contagious Interview.” Attackers contact potential victims via platforms like LinkedIn or Telegram, claiming to represent reputable crypto companies. Candidates are invited to participate in video assessments, which secretly deliver malware to compromise their systems.
One victim, Carlos Yanez from blockchain analytics firm Global Ledger, said: “It happens to me all the time…and I’m sure it happens to everybody in this space.”
The operation is large in scale. Chainalysis estimates that North Korean hackers stole at least $1.34 billion in cryptocurrency last year, one of the largest funding sources for the regime’s sanctioned weapons programs.
The attackers’ tactics are sophisticated. In addition to posing as recruiters, they create fake companies—such as BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to appear legitimate. AI-generated avatars and imagery reinforce credibility. Malware payloads like BeaverTail, InvisibleFerret, and OtterCookie are used to harvest sensitive data and cryptocurrency credentials.
Another faction, UNC4899 (also known as TraderTraitor), exploits fake IT job offers to infiltrate cloud systems. This allows them to access sensitive environments, extract credentials, and target crypto infrastructure on platforms including Google Cloud and AWS.
Copyright Disclaimer:
All materials on this site are the exclusive property of SilentFort and protected under copyright law & DMCA (17 U.S.C. §512). Any unauthorized copying, use, or distribution will be met with an immediate DMCA takedown — no warnings, no negotiations. Infringing content will be removed without delay, and further legal action may follow against repeat offenders.