A new cyberattack campaign tied to North Korea is exploiting one of the most trusted channels in modern hiring: the job interview. By posing as recruiters on LinkedIn, conducting deepfake video calls, and delivering malware through doctored coding tests, state-backed hackers are infiltrating the crypto industry with chilling precision.

According to cybersecurity firm Huntress, this latest offensive unveiled on June 18 is linked to BlueNoroff, a subgroup of North Korea’s infamous Lazarus Group. The attackers are targeting developers working for major Web3 foundations, luring them into interviews that turn out to be elaborate scams aimed at harvesting crypto wallets and software credentials.

“The threat-actor group is using three front companies in the crypto consulting industry to spread malware via job-interview lures,” noted researchers at Silent Push in an earlier report. These firms, including BlockNovas, SoftGlide, and Angeloper, all held valid U.S. registrations and posted legitimate-looking job listings on LinkedIn.

A Polished Scam Built on Deepfakes and Malware

The attack begins with a convincing recruiter outreach, followed by a Zoom “interview” with a supposed senior executive who is actually a deepfake video. As part of the hiring process, the applicant is asked to run a “technical assessment” script. One such file, zoom_sdk_support.scpt, was found to deploy cross-platform malware dubbed BeaverTail.

The malware stack includes sophisticated variants like InvisibleFerret and OtterCookie, designed for broad compatibility across macOS, Windows, and Linux. Once installed, the software scans for MetaMask and Phantom browser extensions, accesses wallet.dat files, and searches plaintext documents for key terms like “mnemonic” or “seed.”

The goal? Total access to a developer’s crypto assets, code repositories, and even backend infrastructure.

“These aren’t simple smash-and-grab scams but part of a well-funded, state-directed campaign,” experts warned. The FBI, which seized the BlockNovas domain in April, estimates that North Korean hacking units have stolen over $1.5 billion in cryptocurrency since 2017, including the infamous $620 million Ronin/Axie Infinity exploit.

Infiltrating the Crypto Developer Pipeline

Crypto’s open-source ecosystem is uniquely vulnerable. A single contributor can hold commit privileges over critical smart contracts or bridge protocols, and those engineers are often pseudonymous and globally distributed.

Electric Capital’s latest Developer Report counted 39,148 new active crypto developers but noted a 7% year-on-year decline in the total number of contributors. As the supply of experienced developers tightens, the value of compromising even one increases dramatically.

This has turned the recruitment funnel itself into a cybersecurity battleground. In some instances, attackers use Calendly invites or Google Meet links that silently redirect to fake Zoom portals. From there, it’s a short hop to malware installation and catastrophic data loss.

Adding to the deception, North Korean operatives have leveraged AI-generated identities, complete with convincing video and voice avatars. Fake executives in Zoom calls now move, speak, and respond in real time, thanks to generative AI tools.

State-Backed Theft with Geopolitical Implications

What happens to the stolen funds? According to the U.S. Treasury, most are laundered through mixers like Tornado Cash and Sinbad before funnelling back to North Korea’s weapons programmes. In one case, a developer unknowingly ran malicious code that ultimately led to the theft of funds used to bankroll military activities.

“For years, North Korea has exploited global remote IT contracting and crypto ecosystems to evade U.S. sanctions and bankroll its weapons programmes,” said Sue J. Bai of the Department of Justice’s National Security Division. On June 16, her office announced the seizure of $7.74 million in cryptocurrency linked to these operations.

The Numbers Behind the Heist

The scale of North Korea’s crypto attacks is staggering. A CryptoSlate analysis found that in 2024 alone, DPRK-linked actors syphoned off $1.34 billion across 47 hacks, accounting for 61% of all stolen crypto that year.

One of the largest breaches was the $305 million attack on DMM Bitcoin, traced back to a fake recruiter who sent a malicious coding test to a wallet engineer. In February, the FBI tied a record-breaking $1.5 billion Bybit exploit to Lazarus, noting that 100,000 ETH had already been laundered through THORChain just days later.

Microsoft researchers now refer to the campaign as a “triple-threat” operation targeting companies through fake VCs, remote developers, and poisoned hiring practices all at once.

Trustless Tech, Human Targets

In a world where remote jobs, trustless protocols, and decentralised finance intersect, North Korea’s approach is uniquely effective. Each fake offer preys on developers seeking stable roles in a turbulent market. Each breach weakens trust in the infrastructure supporting billions in assets.

The next major crypto exploit may not start with a security flaw but with a handshake.