North Korean Hackers Use Fake Crypto Companies and Job Interviews to Spread Malware
In a chilling new twist on cybercrime tactics, North Korean-linked hackers are posing as legitimate cryptocurrency consulting firms to spread malware during fake job interviews. The sophisticated campaign, uncovered by cybersecurity experts, shows how far threat actors are willing to go to infiltrate systems and steal sensitive information.
Table of Contents
Fake Companies, Real Threats
According to a deep-dive analysis by Silent Push, the threat actors behind the so-called "Contagious Interview" campaign have set up three front companies:
- BlockNovas LLC (blocknovas[.]com)
- Angeloper Agency (angeloper[.]com)
- SoftGlide LLC (softglide[.]co)
These fake businesses lure unsuspecting victims—mostly IT and cryptocurrency professionals—into fake hiring processes. Under the guise of coding assignments or technical interviews, applicants are tricked into downloading malware disguised as legitimate work materials.
The malware families deployed in this operation include BeaverTail, InvisibleFerret, and OtterCookie — each one carefully crafted to compromise a wide range of systems, including Windows, Linux, and macOS.
A Web of Deception
The Contagious Interview operation, which cybersecurity firms also track under names like DeceptiveDevelopment and Famous Chollima, represents a dramatic escalation in North Korean cyber-espionage tactics.
The hackers don't stop at fake websites. They've created fraudulent profiles across social media platforms like Facebook, LinkedIn, Pinterest, X (formerly Twitter), Medium, GitHub, and GitLab to add legitimacy to their operations. Silent Push noted that BlockNovas even fabricated an entire team of employees for its website, falsely claiming over 12 years of experience — despite the company being newly registered.
This deception culminates in malware deployment. Victims targeted through the hiring process inadvertently download BeaverTail, a JavaScript stealer and loader, which then installs InvisibleFerret, a backdoor capable of maintaining persistence and exfiltrating sensitive data. Some infections also drop a secondary malware tool called OtterCookie.
Infrastructure and Targets
BlockNovas didn't just stop at websites and fake profiles. Silent Push investigators found a "Status Dashboard" on one of BlockNovas’ subdomains, used to monitor multiple domains involved in the attacks. Additionally, mail.blocknovas[.]com was found hosting Hashtopolis, an open-source password cracking management tool.
The fake recruitment drives have already claimed victims. In one confirmed case from September 2024, a developer had their MetaMask cryptocurrency wallet compromised.
Another alarming discovery involved a site called Kryptoneer (hosted on attisscmo[.]com), offering services to connect cryptocurrency wallets — a move possibly aimed at targeting blockchain users, particularly those connected to the Sui blockchain.
Crackdown and International Implications
As of April 23, 2025, U.S. law enforcement, including the FBI, has seized the BlockNovas domain, citing its role in disseminating malware under the cover of fake job opportunities.
Beyond the technical exploits, researchers have noted the threat actors' use of AI-powered tools like Remaker to generate realistic fake profile pictures, enhancing the credibility of their fake companies. There's also evidence suggesting ties to Russian infrastructure: investigators traced the operation back to Russian IP ranges masked by VPNs, proxies, and VPS servers near the North Korea-Russia border.
Given these ties, experts suggest there may be a level of cooperation or at least infrastructure-sharing between North Korean and Russian cybercriminals, although confirmation remains at low to medium confidence.
The Bigger Picture: Wagemole and GenAI Tools
The Contagious Interview campaign is just one facet of a broader North Korean strategy. Another tactic, known as Wagemole, involves North Korean operatives using AI-generated personas to secure legitimate employment with foreign companies. Salaries from these jobs are then funneled back to the regime.
Cybersecurity firm Okta warned that North Korean facilitators are increasingly using Generative AI (GenAI) tools to manage schedules, transcribe conversations, and translate interviews in real time — making their infiltration efforts harder to detect and disrupt.
Heightened Vigilance is Crucial
This campaign highlights the growing sophistication of state-sponsored cyberattacks and the innovative use of social engineering. Tech workers, especially those in the cryptocurrency and financial sectors, must remain hyper-vigilant when approached with job opportunities, particularly if the hiring process seems rushed, unusual, or involves downloading unfamiliar files.
Organizations must strengthen their applicant screening processes and cybersecurity defenses. In an era where a seemingly innocent job offer could open the door to devastating malware infections, caution is no longer optional — it's essential.
