North Korean Hackers Exploit Job Interviews to Target Crypto Developers

North Korean Hackers Exploit Job Interviews to Target Crypto Developers

Fake Companies, Real Threat: Lazarus Group’s Malware Scam Uncovered

April 25, 2025 – In a chilling reminder of the growing cyber threat facing the cryptocurrency industry, a North Korea-linked hacker group has been caught running three fake crypto consulting companies to deliver malware under the guise of job interviews.

According to a Silent Push report published April 24, the hacker subgroup Contagious Interview, tied to the infamous Lazarus Group, created shell firms to lure unsuspecting crypto developers into downloading malware during fraudulent recruitment processes.

“These websites and a huge network of accounts on hiring platforms are being used to trick people into applying for jobs,” explained Zach Edwards, senior threat analyst at Silent Push.

Two of the companies — BlockNovas and Angeloper Agency — are legally registered in the U.S., adding an unsettling layer of legitimacy to the scheme.

How the Malware Scam Works

Victims are approached via recruiting platforms like GitHub Jobs and freelance sites, lured in with offers for crypto-related roles. During the fake job interview, victims are instructed to record an introductory video.

When they attempt to do so, an error message appears, claiming there’s a problem. The fix? A simple click-copy-paste trick — which, when executed, installs malware on the developer’s machine.

Silent Push identified three malware strains at play:

• BeaverTail: Steals information and serves as a gateway to further malware.

• OtterCookie: Targets crypto wallets and clipboard data.

• InvisibleFerret: Focuses on extracting sensitive crypto-related information.

“Developers are being compromised mid-interview,” said Edwards. “It’s a digital ambush disguised as career opportunity.”

AI Deepfakes and Stolen Identities Used in the Scam

To boost credibility, the hackers created fake employee profiles for their shell companies using AI-generated images and altered photos of real people.

“They’re not just stealing identities — they’re modifying real ones using AI tools,” Edwards revealed. “It’s a new level of impersonation that blends reality and deception.”

Crypto Community Already Hit — FBI Steps In

This malware campaign has been active since early 2024, and real victims have already surfaced. One MetaMask user reported a wallet breach, while others narrowly escaped compromise thanks to growing awareness within the developer community.

The FBI has since seized the domain of BlockNovas, but the campaign is far from over. SoftGlide, one of the three fake firms, remains operational as of this report.

“The FBI took down BlockNovas, but their other infrastructure is still live,” said Edwards. “Crypto teams must stay alert.”

Not Their First Strike: Lazarus Group’s History of Crypto Crimes

The Lazarus Group has long been suspected in some of Web3’s most notorious cyber heists, including:

• The $600 million Ronin Bridge hack

• The $1.4 billion Bybit incident

This latest operation reflects a shift in tactics: from brute-force attacks to psychological manipulation and social engineering.