At least 230 individuals were targeted by North Korean hackers in fake cryptocurrency job interview attacks earlier this year, SentinelOne and Validin report.
In continuation of the Contagious Interview campaign that started in 2022, and which was seen employing the ClickFix technique in early 2025, the threat actors pose as recruiters and invite victims to fake cryptocurrency-related interviews.
The attackers created dozens of fake websites and have impersonated numerous centralized and decentralized finance entities in hundreds of interview invitations sent to unsuspecting victims. Threat detection and response firm Sekoia retrieved 184 different invitations.
After messages are exchanged back-and-forth about the supposed job, the prospective applicant is invited to an attacker-controlled website where they are asked to complete a skill assessment.
The website, however, is designed to infect the victim’s system with malware, using the ClickFix technique: a fabricated error message is displayed, instructing the victim to copy and paste commands in a command line window.
SentinelOne’s SentinelLabs says at least 230 individuals were targeted in such attacks between January and March 2025 and estimates that the actual number could be much higher.
The attackers impersonated companies such as Archblock, Robinhood, and eToro, and used lures for job positions such as Portfolio Manager, Investment Manager, and Senior Product Manager. They mainly targeted people associated with cryptocurrency and blockchain technologies.
Since March, SentinelLabs and internet intelligence platform Validin observed the threat actor examining cyber threat intelligence data regarding their infrastructure, and then making minimum changes to evade detection.
“We observed that the Contagious Interview threat actors engaged in coordinated activity and likely operated in teams to investigate threat intelligence related to their infrastructure and to monitor for signs of detection. Indicators suggest they used multiple indicators of compromise (IOC) repositories and CTI platforms, including Validin, VirusTotal, and Maltrail,” SentinelLabs says.
The hackers were likely using Slack to coordinate their investigations. They were seen evaluating new infrastructure before acquiring it, but did not make large-scale changes to their existing infrastructure, likely because of internal factors.
Fake job interviews, however, are not the only form of social engineering that North Korean hackers were seen targeting the decentralized finance industry with.
In an attack detailed by NCC Group, the hackers posed as employees of investment institutions on Telegram, and likely exploited a Chrome zero-day to eventually gain persistent access to a DeFi organization’s network after infecting an employee’s device.
NCC Group identified multiple tools used as part of the intrusion, including a utility for taking periodic screenshots, a keylogger, a Chromium browser dumper, the MidProxy proxy tool, Mimikatz, Proxy Mini, and the Fast Reverse Proxy client.
Furthermore, the hackers deployed the PondRAT and ThemeForestRAT backdoors for persistent, remote access to the compromised network, but replaced them with the more sophisticated RAT RemotePE several months later.
Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting
Related: North Korean Hackers Target macOS Users
Related: Hundreds Targeted in New Atomic macOS Stealer Campaign
Related: Hired ‘Hackers’ Try, and Fail, to Invade Brazil Vote System
