How North Korean Hackers Use Fake Job Offers in the Crypto Sector

New research shows that North Korean hackers utilize fake job offers to access the cryptocurrency sector, creating serious risks for job seekers.

How Recruitment Fraud Works

This scam, known as "Contagious Interview," involves impersonating recruiters from major crypto companies such as Bitwise Asset Management, Ripple Labs, and Robinhood. Victims are tricked into downloading malicious software or sending video files that compromise their cryptocurrency wallets. After brief exchanges, candidates are directed to unclear websites for "skills tests" or asked to record assessment videos using provided software. In several instances, victims reported having their wallets drained, with one individual losing $1,000 in ethers and solana.

Scope of the Threat

The problem has become so common that applicants are independently screening recruiters for signs of North Korean involvement. Twenty-five industry experts and executives described the scams as "ubiquitous." Blockchain analytics firms like SentinelOne and Validin are preparing a report linking the campaign to Pyongyang, citing IP addresses and email accounts associated with previous North Korean hacking operations. Exposed log files showed that over 230 individuals were targeted between January and March, including coders, accountants, consultants, and executives.

Why Crypto Remains an Attractive Target

North Korean hackers were estimated to have stolen at least $1.34 billion in cryptocurrency last year, according to Chainalysis. The U.S. and United Nations report that proceeds are funneled into its sanctioned weapons program. While thefts from exchanges and DeFi exploits are well-documented, the job-offer campaign is a more personalized form of social engineering that directly targets employees and job seekers. The FBI has previously warned that North Korea was "aggressively" targeting the sector with elaborate social engineering schemes. Companies such as Robinhood, Ripple, and Bitwise either declined to comment or confirmed measures to disable fake domains.

With increasing theft volumes related to North Korean cyber operations, technical and financial companies must focus on verifying recruiter identities and ensuring the safety of their employees.