New recruitment scam: North Korean hacker impersonates HR from Coinbase to target crypto citizens

A sophisticated attack campaign by North Korean #hacker is targeting global crypto experts through impersonating recruiters from major companies like Coinbase and Uniswap to spread malware “PylangGhost” – a Trojan written in Python.

According to a report by Cisco Talos, PylangGhost is used by the group “Famous Chollima” (linked to the Pyongyang regime) to steal login information from over 80 browser extensions, including Metamask, 1Password, Phantom, NordPass… At the same time, this malware also maintains a continuous connection to remotely control the victim's machine.

The common trick of the hacker is to lead victims – mainly programmers and blockchain engineers – into a fake recruitment process, from taking tests, accessing cameras, to running a fake “video installer” containing malware. The impersonated websites have relatively trustworthy names, which have fooled victims.

This activity is the next part of a series of campaigns like “Contagious Interview” and “DeceptiveDevelopment” – which have deceived many programmers since 2023. Recently, hackers even created fake companies in the US (BlockNovas, SoftGlide) and were taken down by #FBI .

Cybersecurity experts are calling for enhanced security checks at blockchain companies, issuing national warnings, and raising awareness to prevent this new wave of attacks.