Buy a licensed company 
VASPs live data and insights 
Learn about crypto safety 
Read the latest research 
North Korean Hackers Using Fake Job Listings to Steal Crypto
Summary
- Fake recruiters are now a frontline attack vector. Job listings and interview requests have become one of the most common ways North Korean hackers steal crypto.
- The campaigns are highly organized. Groups like Lazarus run operations such as Contagious Interview, using fake companies, AI-generated identities, and malware families tailored for different systems.
- The financial stakes are enormous. More than $3 billion has been stolen since 2017, with annual hauls over $1 billion in both 2022 and 2024.
- The threat goes beyond stolen wallets. These operations erode trust in remote hiring, compromise company networks, and insert fake workers into legitimate firms.
- The money funds North Korea’s weapons program. Crypto theft has become a key revenue stream for Pyongyang, linking individual job scams to global security risks.
Job hunting in crypto has turned into more than a search for the next opportunity. It has become one of the main entry points for cybercrime. Recruiters reaching out on LinkedIn or Telegram may look legitimate, but behind many of them sit state-sponsored hackers working to steal funds rather than hire talent.
Groups linked to North Korea, most notably Lazarus, have been running long-term operations such as “Contagious Interview” that disguise theft as a hiring process. What starts as a routine skills test or video call can quickly lead to malware, stolen wallets, and drained accounts.
Since 2017, investigators estimate North Korea has stolen over $3 billion worth of cryptocurrency. The haul included at least $1.7 billion in 2022 and another $1.3 billion in 2024. These thefts provide a steady flow of capital for the country’s sanctioned weapons program, making fake job listings not just a cybersecurity risk but also a geopolitical issue.
How the Fake Job Scams Work
North Korean operations often begin with something as ordinary as a recruiter’s message. LinkedIn and Telegram are the main platforms, where fake profiles pose as talent managers for well-known crypto firms. The approach is polished, with tailored messages about openings in trading, development, or project management.
Once contact is made, the process becomes more elaborate. Applicants are invited to interviews that follow a scripted sequence of questions, sometimes stretched across multiple stages to build credibility. Video assessments are a common demand. Instead of using Google Meet or Zoom, candidates are pushed to download obscure tools or run code that supposedly records their answers. Those who comply unknowingly install malware.
The malware comes in different packages. Investigators have tied the scams to families with odd names like BeaverTail, InvisibleFerret, and OtterCookie. Once installed, they can scoop up browser data, empty wallets, or leave a backdoor open on Windows, macOS, and Linux. In some cases, victims end up with remote access software like AnyDesk sitting quietly in the background, giving hackers full control of the machine.
The fake companies are just the wrapping. BlockNovas, Angeloper, and SoftGlide put on the act of being crypto consultancies, complete with slick websites, “about us” pages, and long staff lists. Dig a little deeper and it falls apart. Most of the profiles are fake, and the companies themselves only appeared recently. One even claimed more than a decade of experience despite being registered barely a year earlier. The goal is simple: look established enough to trick people into lowering their guard.
🚨 Fake Jobs, Real Malware
North Korea’s Lazarus Group isn’t just applying for crypto jobs – they’re also creating fake ones. Using fake interviews and a tactic called ClickFix, they infect Windows and macOS systems with malware. Victims are asked to install video tools or… https://t.co/TsRgzXrwJZ
— VERITAS PROTOCOL (@veritas_web3) April 4, 2025
Real Cases
Several professionals have already found themselves caught in these traps. Carlos Yanez, a business development executive at the Swiss analytics firm Global Ledger, said he is contacted by fake recruiters so often that it has become routine. He managed to avoid infection, but noted that the level of sophistication has risen sharply over the past year.
Others came closer to losing money. Olof Haglund, an entrepreneur in Stockholm, was approached by a supposed Robinhood recruiter who insisted on a video assessment using downloaded code. Haglund refused and ended the process, but not all applicants reacted with the same caution. An American product manager told Reuters he went through with a test for what he believed was a role at Ripple. That evening, about $1,000 in ether and Solana disappeared from his wallet. The recruiter profile was gone the next day.
Impersonation of major crypto firms is a recurring theme. Robinhood, Ripple, Bitwise, and Kraken have all been used as covers for these fake listings. Victims described convincing back-and-forth conversations, complete with salary discussions and role descriptions, before being asked to download malicious files.
Authorities have begun striking back. BlockNovas, one of the front companies tied to these scams, had its domain seized by the FBI in April 2025. Investigators found that the firm’s website claimed a long track record in consulting and featured staff bios that were entirely fabricated. The seizure underlined how quickly these fake firms can grow into recognizable names before being exposed.
Organized Campaigns
The campaigns are not isolated scams but part of long-running North Korean operations. Investigators group these efforts under names such as Operation Dream Job and Contagious Interview, both of which rely on social engineering disguised as professional recruiting. The Lazarus Group, also tracked as UNC5342 and Void Dokkaebi, sits at the center of many of these incidents.
Researchers have traced the traffic back to Russian IP ranges, hidden behind layers of VPNs, proxies, and remote desktops. On the surface, the recruiters look real enough. AI-generated profile pictures give them polished LinkedIn identities, and the accounts either impersonate big-name crypto firms or spin up entirely new ones that pass a quick glance.
The play doesn’t stop at fake recruiters. North Korean workers also try to land actual jobs through what investigators call Wagemole. They send in polished resumes and fake IDs, get hired remotely, and then siphon data or kick a slice of their salary back to Pyongyang. Thousands of these applications go out every year, boosted by AI tools that help them translate, schedule, and even prep for interviews.
Impact and Scale
The numbers behind these campaigns are staggering. Since 2017, North Korea is believed to have stolen more than $3 billion in cryptocurrency. Some reports’ estimates put the total at $1.7 billion in 2022 and another $1.34 billion in 2024 alone, making the country the most prolific state-backed crypto thief in the world.
The fake job listings contribute a growing share of these losses. In early 2025, at least 230 professionals were identified as targets of the Contagious Interview campaign, covering engineers, consultants, accountants, and executives. These cases are a fraction of the total, as most victims never report their encounters or recognize them only after damage is done.
Remote hiring has become the norm in crypto, and that opens the door for bad actors to slip through. DeFi teams, exchanges, and even traditional companies experimenting with blockchain all face the same risk: an employee or contractor who isn’t who they claim to be. When fake recruiters and fake applicants look just as convincing as the real ones, the whole idea of trust in hiring starts to break down.
On the bigger stage, the money stolen through these scams flows straight into North Korea’s sanctioned weapons program. Both U.S. and U.N. agencies have said outright that crypto theft has become one of Pyongyang’s steady revenue streams, helping bankroll nuclear development despite international pressure. What looks like a shady job interview online ends up tied to global security.
Prevention & Recommendations
Fake job offers have turned hiring into a security issue. For applicants, the first line of defense is simple: check the recruiter before you engage. Real companies use official domains, not throwaway emails or LinkedIn accounts that appeared last month. Any push to download strange software or take a test on an unfamiliar site should set off alarms. Keeping assets in hardware wallets and avoiding the use of hot wallets on the same computer you’re interviewing from gives you extra protection if something slips through.
Companies face their own risks when North Korean applicants slip through screening. Stronger background checks, identity verification, and KYC procedures for new hires can make infiltration harder. Some firms now deploy tools to detect AI-generated faces and deepfake video, which are increasingly used to create fake recruiter or candidate personas. Monitoring cloud access and tightening permissions around remote work accounts helps limit the damage if a malicious actor does make it through.
So many people don’t realize how big the “fake candidate” problem really is.
Cybersecurity researchers just exposed over 1,000 email addresses apparently tied to these operations.
It’s easily the biggest recruitment fraud stories I’ve heard of.
Most companies still have no… pic.twitter.com/0wmSeKiH2q
— The Random Recruiter (@randomrecruiter) May 19, 2025
Regulators have started to respond. The FBI and Justice Department have issued repeated warnings about these campaigns and in 2025 seized domains linked to front companies such as BlockNovas. The U.S. Treasury has sanctioned Lazarus and related groups, while international monitors continue to tie crypto thefts to North Korea’s weapons program. These measures highlight the seriousness of the threat, but the volume of attacks shows that enforcement alone cannot keep up. Vigilance at the individual and company level remains essential.
Conclusion
The hiring process has become one of the most effective weapons in North Korea’s cyber arsenal. What looks like a normal job opportunity can instead be the entry point for malware, theft, and infiltration. The danger goes beyond stolen tokens. It reaches into company networks, undermines trust in recruitment, and fuels a sanctioned weapons program.
Security is not limited to wallets, exchanges, or code. It depends just as much on people, the conversations they have, and the trust they place in those on the other side of the screen.
Frequently Asked Questions
How do fake job scams steal crypto?
Hackers pose as recruiters, lure applicants into staged interviews, and push them to install malicious software disguised as video tools or skills tests. The malware steals wallet data, login credentials, and sometimes grants remote access to entire systems.
Who’s behind them?
Most operations trace back to North Korean state-sponsored groups, including Lazarus, which run campaigns like Contagious Interview. These groups use fake firms, AI-generated personas, and large networks of VPNs and proxies.
What should I do if I’m targeted?
End contact immediately, avoid downloading anything, and report the attempt to the platform where it occurred. If you already installed suspicious software, disconnect from the internet, move funds to a secure wallet, and run a full security review of your device.
Are exchanges doing anything?
Exchanges such as Robinhood and Kraken have worked to remove fake recruiter accounts and disable malicious domains. Still, they warn that impersonation is difficult to police since anyone can create a convincing profile online.
How does this fund DPRK’s weapons program?
Investigators from the U.S. and United Nations have shown that stolen cryptocurrency is funneled back to Pyongyang and used to support nuclear and missile development. Fake job campaigns are one piece of this broader strategy to sidestep sanctions.
