North Korean state-sponsored hackers are tricking cryptocurrency and blockchain experts into fake job interviews to hijack their devices with a newly discovered malware called PylangGhost, according to a fresh report by cybersecurity firm Cisco Talos.
The campaign, attributed to the North Korean hacking unit Famous Chollima (also known as Wagemole), has mainly targeted crypto professionals in India. Hackers are setting up fraudulent recruitment sites that mimic well-known crypto firms like Coinbase, Robinhood, and Uniswap, luring victims with fake job offers for blockchain roles.
The ploy unfolds when fake recruiters invite candidates to take online skill tests. Applicants are then asked to enable their webcams for a supposed video interview and execute malicious commands disguised as harmless video driver installations. Once infected, the new PylangGhost trojan gives attackers remote access, allowing them to steal login credentials and browser session cookies from more than 80 extensions, including major crypto wallets and password managers like Metamask and 1Password.
“This shows how North Korean groups are evolving their methods to target individual crypto professionals, not just exchanges,” Cisco Talos said. The goal is not only to steal funds directly but also to gather insider information to compromise crypto firms from within.
Indian cybersecurity experts have raised concerns about the scale of these scams. Dileep Kumar H V from Digital South Trust urged the Indian government to enforce mandatory cybersecurity checks for blockchain companies and take down fake job portals. He also called for stronger international cooperation and public awareness campaigns to shield job seekers from falling victim.
The PylangGhost trojan is a Python-based variant of the previously documented GolangGhost RAT. The new version mainly attacks Windows users, while the Golang version remains active against macOS systems. So far, Linux machines are not affected.
Fake recruitment and malware-laden interviews have become a common tactic for North Korean hackers. Last year, they posed as fake companies like BlockNovas LLC and SoftGlide LLC to spread malware until the FBI intervened. Recent joint statements from Japan, South Korea, and the U.S. revealed that North Korean hackers stole at least $659 million through various crypto hacks in 2024.
As North Korean cyber threats become more deceptive, experts urge stronger legal frameworks, real-time threat alerts from CERT-In, and better digital education to help crypto professionals spot and avoid these dangerous fake job scams.
