FeaturedGlobal NewsReports

North Korean Hackers Flood Crypto Industry With Fake Job Offers to Steal Digital Assets

Photo of News Desk News Desk Send an email 4 September 2025
2 minutes read
Hackers stealing crypto assets. TRM Labs report highlights Bybit hack by Lazarus Group and Nobitex hack by Israel-linked Predatory Sparrow. nother korean hackers, fake crypto jobs offers

North Korean hackers are ramping up cyberattacks on the cryptocurrency sector, using convincing fake job offers to steal funds, according to new research, raw data, and interviews reviewed by Reuters.

The tactic has become so widespread that many professionals in the industry now actively screen recruiters for ties to Pyongyang. Reuters spoke with 25 experts, victims, and corporate representatives, all of whom said the problem is pervasive.

“It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez, business development executive at Switzerland-based blockchain analytics firm Global Ledger, who was recently targeted. Cybersecurity companies SentinelOne and Validin, which are publishing a detailed report on the campaign, confirmed his experience.

Yanez said the sophistication of these impersonation attempts has grown dramatically:

“It’s scary how far they’ve come.”

Crypto Theft Fueling North Korea’s Programs

While it’s unclear how much is stolen specifically through fake job offers, North Korean hackers stole at least $1.34 billion in cryptocurrency last year, according to Chainalysis. Both the U.S. and U.N. monitors allege that Pyongyang directs these thefts to fund its sanctioned weapons program.

The FBI previously warned that North Korea was “aggressively” targeting the crypto industry with “complex and elaborate” social engineering scams. Reuters’ investigation, supported by seven victims and screenshots of their conversations with fake recruiters, provides new details on the tactics.

How the Scams Work

Hackers typically approach targets via LinkedIn or Telegram with job offers tied to crypto companies.

  • One recruiter messaged Victoria Perepel on LinkedIn, claiming to represent Bitwise Asset Management, and asked her to complete a skills test and video recording on an obscure website.
  • Another target, Olof Haglund, a machine learning entrepreneur, was contacted by someone posing as a Robinhood recruiter named Wieslaw Slizewski. When Haglund refused to download suspicious code, the recruiter insisted: “We follow a structured hiring process, and the video assessment is a key part of our evaluation to ensure consistency and fairness for all candidates.”

Haglund cut off contact. But others weren’t as fortunate.

A U.S. crypto product manager (anonymous) fell victim after completing a video “assessment” for a recruiter impersonating Ripple Labs. Hours later, he discovered that $1,000 worth of Ether and Solana had been drained from his wallet. The LinkedIn profile of the supposed recruiter had already vanished.

Consultant Ben Humbert faced a similar scheme on LinkedIn with a recruiter claiming ties to Kraken. Asked to complete a “virtual interview” through a suspicious link, Humbert became suspicious and terminated the process.

Crypto Companies Respond

Robinhood confirmed awareness of an impersonation campaign earlier this year and said it disabled domains linked to the scam. LinkedIn stated that the fake recruiter accounts flagged by Reuters had already been “previously actioned,” while Telegram said it actively weeds out scams.

Kraken’s chief security officer, Nick Percoco, said impersonations are common: “Every day there’s something going on.”

Operation “Contagious Interview”

Cybersecurity firms SentinelOne and Validin attributed the campaign to a North Korean group previously identified by Palo Alto Networks as “Contagious Interview.” Their conclusion was based on IP addresses and emails linked to past North Korean hacking activity.

Researchers even uncovered exposed log files revealing the emails and IPs of over 230 targets—including coders, influencers, consultants, and executives—between January and March. Reuters contacted all of them, and 19 confirmed they had been targeted.

“This is just a fraction,” said Aleksandar Milenkoski, senior researcher at SentinelOne. “They’re like a typical scam group. They go for breadth.”

Difficult to Police

Percoco added that Kraken has tracked fake recruiting scams since late last year, with reports continuing into May. The company monitors for fake recruiter profiles but acknowledged limitations: “Anybody out there can say they’re a recruiter.”

Pyongyang has consistently denied involvement in cryptocurrency theft.

* Read our disclaimer
Tags
Photo of News Desk News Desk Send an email 4 September 2025
2 minutes read
Photo of News Desk

News Desk

UNLOCK Blockchain News Desk is fueled by a passionate team of young individuals deeply immersed in the world of Blockchain and Crypto. Our mission? To keep you, our loyal reader, on the cutting edge of industry news. Drop us a line at info(@)unlock-bc.com to connect with our team and stay ahead of the curve!

Related Articles

Ripple RLUSD stablecoin launched with CoinMENA as the only MENA exchange, Africa, partnerships, expansion

Ripple Expands USD-Backed Stablecoin RLUSD to Africa Through New Partnerships

4 September 2025
QCP group, ADGM license, crypto trading services, digital assets, crypto news, abu dhabi, UAE, blockchain news, MENA

QCP Group Secures Full ADGM License, Expands Digital Asset Trading Services in Abu Dhabi

4 September 2025
nasdaq, american bitcoin, abtc, blockchain news, crypto news, eric trump

Trump-Backed American Bitcoin Corp Surges 72% on Nasdaq Debut

4 September 2025

Federal Reserve to Spotlight Stablecoins, AI, and Tokenization at Payments Innovation Conference

4 September 2025
Back to top button