North Korean Hackers Use Fake Crypto Firms to Spread Malware via Job Interviews

A North Korea-linked hacker group has been deploying malware through fraudulent crypto consulting firms posing as legitimate U.S. businesses—tricking unsuspecting developers during fake job interviews.

The scheme, uncovered by cybersecurity firm Silent Push in an April 24 report, is tied to a subgroup of the notorious Lazarus Group. 

Also read: Lazarus Group Becomes a Bitcoin Giant, Overtaking Bhutan and El Salvador

The hackers are operating three shell companies—BlockNovas, Angeloper Agency, and SoftGlide—two of which are officially registered in the United States, lending the operation an air of legitimacy.

According to Silent Push senior threat analyst Zach Edwards, the FBI has already seized the domain of BlockNovas, but SoftGlide and other parts of the group’s infrastructure remain active.

Malware Hidden in the Crypto Hiring Process

The attackers post fake job listings on platforms like GitHub Jobs and freelancer marketplaces, posing as recruiters or clients offering lucrative opportunities. As part of the interview process, candidates are prompted to record an introduction video. An error message then appears, accompanied by a “fix” that requires copying and pasting a code snippet—this action triggers the malware installation.

Three malware strains have been identified in the campaign:

• BeaverTail, which acts as a data thief and malware dropper
• InvisibleFerret, which targets clipboard data and crypto keys
• OtterCookie, which focuses on compromising cryptocurrency wallets like MetaMask

Silent Push confirmed that at least two developers were victims of the campaign, one of whom had their MetaMask wallet compromised.

During the sham job interview, an error message is displayed, requiring the user to click, copy, and paste to fix it. (Source: Zach Edwards)

AI-Fueled Identity Theft Enhances the Ruse

To further the illusion, the attackers created fake employee profiles for their shell companies using AI-generated faces and manipulated images of real individuals. In some cases, authentic photos were subtly altered using AI tools to evade detection.

Also read: Dark Storm Hacks X: The Cyberattack That Shocked the Internet

The operation is part of a broader cyber offensive by the Lazarus Group, a North Korea-affiliated threat actor responsible for several high-profile Web3 heists, including the $1.4 billion Bybit exploit and the $600 million Ronin bridge hack. 

Silent Push also cited at least three recent attempts in March 2025 where crypto founders were targeted using similar fake Zoom interviews.

Staying Protected

Cybersecurity experts advise developers to take extra precautions:

• Verify the legitimacy of companies and employees
• Never copy or paste code from unfamiliar sources during interviews
• Use sandboxed devices for sensitive work
• Keep software and wallet security settings up to date

While parts of the malware operation remain live, the FBI’s takedown of BlockNovas signals potential further enforcement actions. As attackers increasingly use AI to enhance deception, vigilance remains critical.