North Korean hackers are reportedly luring crypto professionals into elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices. This ongoing campaign represents an evolving tactic by state-sponsored groups to compromise individuals within the digital asset industry.

New Malware Identified

A new Python-based remote access trojan (RAT) called “PylangGhost” has been linked to a North Korean-affiliated hacking collective known as “Famous Chollima,” also referred to as “Wagemole.” Threat intelligence research firm Cisco Talos reported this connection on Wednesday, June 18, 2025. The firm wrote, “Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” indicating a specific focus on talent in the digital asset sector.

Recruitment Scheme

The campaign primarily targets crypto and blockchain professionals, with a reported emphasis on India. Attackers reportedly use fraudulent job sites that impersonate legitimate companies, including prominent crypto firms like Coinbase, Robinhood, and Uniswap. The scheme begins with fake recruiters directing job seekers to skill-testing websites where victims enter personal details and answer technical questions. After completing assessments, candidates are instructed to enable camera access for a video interview, then prompted to copy and execute malicious commands disguised as video driver installations. This deceptive step installs the PylangGhost malware.

Addressing the Threat

Dileep Kumar H V, director at Digital South Trust, commented on countering these scams. He told Decrypt, “India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.” He called for broader governmental action, stating, “CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” and advocating for “stronger legal provisions” under the IT Act and “digital awareness campaigns.”

Malware Capabilities

The newly discovered PylangGhost malware is highly capable. It can reportedly steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom. Once installed, the trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers, giving attackers sustained control over compromised devices.

Malware Variants and Targets

The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many capabilities. However, the Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns. The attackers reportedly maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as “quickcamfix.online” and “autodriverfix online.”

Broader North Korean Cyber Strategy

This latest operation aligns with North Korea’s broader pattern of crypto-focused cybercrime. This strategy includes the notorious Lazarus Group, which has been responsible for some of the industry’s largest heists. In February 2025, the Lazarus Group executed what is now regarded as the largest single hack in crypto history, stealing at least $1.4 billion from Bybit and funneling those funds to crypto mixers. Samczsun, Research Partner at Paradigm, recalled witnessing this theft in real-time and collaborating with Bybit to confirm the unauthorized activity, stating, “Someone had pulled off the biggest hack in [crypto] history, and we had a front-row seat.” Beyond stealing funds directly from exchanges, the North Korean regime is now reportedly targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within.

Mounting Incidents

Mounting cases highlight the persistent threat from North Korean cyber actors. Earlier this year, these hackers reportedly established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews, before the FBI seized the BlockNovas domain. A joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple cryptocurrency heists in 2024. In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers.

Vigilance and Thwarted Attempts

The crypto industry is seeing efforts to counter these sophisticated attacks. Crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews. These incidents underscore the varied methods employed by North Korean cyber actors and the ongoing need for vigilance across the crypto industry.