How North Korea is Using Fake Crypto Job Ads to Hack Indians

Cisco Talos reported that a North Korean hacker group named “Famous Chollima” has been focusing attacks on crypto job applicants in India. This group apparently has no direct connection to Lazarus.

At the moment, it’s difficult to determine if these efforts were petty thefts or preliminary groundwork for larger attacks. Job seekers in the crypto industry should exercise caution moving forward.

North Korea’s Crypto Hacks Continue

North Korea’s Lazarus Group has a formidable reputation for crypto crime, perpetrating the greatest hack in the industry’s history. However, it’s not the country’s only Web3 criminal enterprise, as North Korea has a huge presence in DeFi.

Cisco Talos identified some recent criminal activities in India that are taking a different approach to crypto theft:

Reports suggest that Famous Chollima isn’t new; it’s been functioning since mid-2024 or earlier. In several recent incidents, North Korean hackers have attempted to infiltrate US-based crypto firms like Kraken by applying for open job listings.

Famous Chollima did the reverse, luring potential workers with phony applications.

“These campaigns include… creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste a malicious command line in order to install drivers necessary to conduct the final skill-testing stage. [Affected users are] predominantly in India,” the firm claimed.

Next to Lazarus’ formidable reputation, Famous Chollima’s phishing efforts seem much clumsier. Cisco claimed that the group’s fake applications would always mimic famous crypto firms.

These lures did not use any of the real companies’ actual branding, asking questions that were hardly relevant to the supposed jobs in question.

Swallowing the Bait

Victims are lured through fake recruitment sites posing as well-known tech or crypto firms. After filling out applications, they are invited to a video interview.

During this process, the site asks them to run command-line instructions—claimed to be for installing video drivers—which actually download and install malware.

Once installed, PylangGhost gives attackers full control of the victim’s system. It steals login credentials, browser data, and crypto wallet information, targeting over 80 popular extensions like MetaMask, Phantom, and 1Password.

Recently, after foiling a malware attack, BitMEX claimed that Lazarus uses at least two teams: a low-skill team to initially breach security protocols and a high-skill team to conduct subsequent thefts. Perhaps this is a common practice in North Korea’s hacking community.

Unfortunately, it’s difficult to make any firm conclusions without speculating. Does North Korea want to hack these applicants to better pose as crypto industry job seekers?

Uers should be cautious of unsolicited job offers, avoid running unknown commands, and secure their systems with endpoint protection, MFA, and browser extension monitoring.

Always verify the legitimacy of recruitment portals before sharing any sensitive information.