Fake Job Interviews: North Korean hackers impersonate HR from Coinbase, Uniswap, using LinkedIn to lure crypto professionals into malware traps.
PylangGhost Malware Deploy: Victims install trojans disguised as camera drivers, exposing MetaMask and 80+ password managers to credential theft and surveillance.
Supply Chain Contamination: Hackers infiltrate dormant GitHub repositories and NPM packages, targeting developers while maintaining long-term enterprise penetration strategies.
North Korean hackers use fake job interviews from Coinbase, Uniswap to deploy PylangGhost malware. Targets crypto workers’ wallets through sophisticated social engineering and supply chain attacks.
A fake Coinbase interview invitation could zero out your life savings. This isn’t science fiction. It’s the real threat facing crypto job seekers in 2025.
ATTACK EVENT CORE: “PYLANGGHOST” TROJAN DISGUISED AS RECRUITMENT
Complete Attack Method Analysis
Precision Phishing: Hackers impersonate HR representatives from leading companies like Coinbase and Uniswap. They contact targets through LinkedIn and other professional platforms. They offer high-paying positions and direct victims to realistic skill testing websites.
Malicious Guidance: Attackers require victims to record “interview videos”. They claim victims need to “install camera drivers”. They trick users into copying and pasting malicious terminal commands. This process triggers trojan downloads.
Data Theft: The PylangGhost trojan, written in Python, infiltrates systems automatically. It steals credentials from MetaMask, 1Password, and over 80 password managers and wallet plugins. The malware also extracts cookies and browser extension data.
Technical Concealment Methods
The trojan creates persistent startup entries through registry modifications. It connects to RC4-encrypted C2 servers with plaintext keys that are highly obfuscated. This approach evades standard detection methods.
Modular design supports remote command execution and screen monitoring. It enables subsequent penetration activities. This creates a complete attack chain.
NORTH KOREAN HACKERS’ “PROFESSIONAL” INFILTRATION: FROM SHELL COMPANIES TO INTERNAL PENETRATION
Industrialized Organizational Structure
Multinational Shell Companies: Hackers register shell companies like Blocknovas LLC and Softglide LLC in New Mexico and New York. They fabricate office addresses. For example, South Carolina registration addresses turn out to be wasteland. They publish fake job postings through these entities.
Identity Theft Systems: Attackers use forged driver’s licenses with address errors reaching 300 miles. They steal prestigious university credentials, such as NYU computer science degrees. They even conduct “interview training” sessions to lower victim suspicion.
Documented Infiltration Cases
Failed Exchange Intrusion: In June 2025, a hacker posed as “Steven Smith” when applying for a Kraken IT position. The attacker claimed ten years of Cisco work experience. Officials detected the fraud due to driver’s license address contradictions.
Long-term Lurking Extortion: Secureworks reports show that North Korean IT workers infiltrate European and American companies through remote positions. Within four months, they steal data and demand ransom payments. The funds ultimately flow to North Korean weapons programs.
Scale and Profits
The United Nations estimates North Korea earns $250-600 million annually through fraudulent employment schemes. These profits support nuclear programs and hacking activities.
ATTACK SCOPE EXPANSION: FROM JOB SEEKERS TO OPEN SOURCE ECOSYSTEMS
New Supply Chain Contamination Strategies
Hijacking Dormant Repositories: North Korean developer “AhegaoXXX” controlled former Waves protocol engineer accounts. They pushed malicious updates to dormant Keeper-Wallet repositories. The code is designed to steal mnemonic phrases and private keys.
NPM Package Poisoning: Attackers published six long-outdated malicious NPM packages. These specifically target users who are updating wallets. This exposes permission management vulnerabilities in open source communities.
Cross-platform Attack Coordination
Beyond crypto fields, hackers simultaneously target Minecraft players. They distribute cheat modules containing stealers. These modules activate only when detecting gaming environments. This demonstrates strong targeting precision.
DEFENSE GUIDE: HOW ENTERPRISES BUILD “ANTI-INFILTRATION FIREWALLS”
Personal Protection Points
Triple Identity Verification:
Require video interviews with real-time credential verification, such as comparing driver’s license addresses with IP geolocation
Verify company registration information, office reality, and employee reviews. Shell companies often lack real office locations.
Isolated Testing Environment: Execute “technical tests” requested by recruiters in virtual machines or backup devices. This approach avoids exposing main environments.
Enterprise Risk Control Upgrades
Onboarding Audits: Remote position candidates must pass “abnormal behavior detection”. This includes frequently changing salary accounts or refusing to enable cameras. Establish internal reporting mechanisms to investigate related referrers. North Korean hackers often provide false endorsements for each other.
Dynamic Permission Management: Limit new employee access to core code and financial systems. Implement phased authorization processes.
Technical Reinforcement Recommendations
Wallet Usage Suggestions:
Store large assets in hardware wallets connected only to clean devices
Disable “auto-fill” functions in browser plugin wallets and regularly clear cookies
Set independent authorization limits for each transaction
Enterprise Code Repository Protection:
Clean dormant contributor accounts and limit repository redirection permissions
Require security scanning for dependency updates using tools like Snyk or Fortify
INDUSTRY REFLECTION: WHEN ATTACKS BECOME “NATIONAL STRATEGY,” COLLABORATIVE DEFENSE IS THE ONLY WAY
“Hackers no longer work alone. They build supply chains with state-level resources. Defense requires the same scale.” – Kraken Chief Security Officer Nick Percoco
Collaborative Defense Trends
Exchange Alliance Defense: Kraken actively conducts “reverse infiltration” against attackers. They share hacker identity characteristics and attack fingerprints. This builds industry-wide blacklists.
Law Enforcement Technical Upgrades: The U.S. Department of Justice has partnered with TRM Labs and Tether. They use LIFO on-chain tracking technology. In June 2025, they seized $225 million in “pig butchering” proceeds, setting a historical record.
Future Challenges
Deepfake technology may render video interview verification ineffective. Hackers have already tested SplitCam virtual cameras. Sanction loopholes make shell company registration difficult to eliminate. This situation requires promoting real-name verification legislation for business registration.
Conclusion: In the Crypto World, Your Vigilance Is the Strongest Private Key
When facing sophisticated traps from state-level hackers, personal caution and enterprise risk control are both indispensable. Behind every “high-paying opportunity” may lie an abyss of wallet depletion. Every code commit might become a fuse for supply chain contamination. Only by treating security as faith can we guard the light of digital assets in this dark forest.
Extended Actions
Immediately review wallet authorizations: revoke.cash
Report suspicious recruitment information: FBI Cybercrime Complaint Center (IC3.gov)
Developer code repository scanning tools: Snyk, GitGuardian
〈Deep Investigation: North Korean Hackers Upgrade “Job Trap” Attacks, New Trojan Targets Crypto Workers’ Private Keys〉這篇文章最早發佈於《CoinRank》。
