North Korean Hackers Flood Crypto Industry With Fake Job Offers to Steal Digital Assets

North Korean hackers are ramping up cyberattacks on the cryptocurrency sector, using convincing fake job offers to steal funds, according to new research, raw data, and interviews reviewed by Reuters.

The tactic has become so widespread that many professionals in the industry now actively screen recruiters for ties to Pyongyang. Reuters spoke with 25 experts, victims, and corporate representatives, all of whom said the problem is pervasive.

“It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez, business development executive at Switzerland-based blockchain analytics firm Global Ledger, who was recently targeted. Cybersecurity companies SentinelOne and Validin, which are publishing a detailed report on the campaign, confirmed his experience.

Yanez said the sophistication of these impersonation attempts has grown dramatically:

“It’s scary how far they’ve come.”

Crypto Theft Fueling North Korea’s Programs

While it’s unclear how much is stolen specifically through fake job offers, North Korean hackers stole at least $1.34 billion in cryptocurrency last year, according to Chainalysis. Both the U.S. and U.N. monitors allege that Pyongyang directs these thefts to fund its sanctioned weapons program.

The FBI previously warned that North Korea was “aggressively” targeting the crypto industry with “complex and elaborate” social engineering scams. Reuters’ investigation, supported by seven victims and screenshots of their conversations with fake recruiters, provides new details on the tactics.

How the Scams Work

Hackers typically approach targets via LinkedIn or Telegram with job offers tied to crypto companies.

• One recruiter messaged Victoria Perepel on LinkedIn, claiming to represent Bitwise Asset Management, and asked her to complete a skills test and video recording on an obscure website.
• Another target, Olof Haglund, a machine learning entrepreneur, was contacted by someone posing as a Robinhood recruiter named Wieslaw Slizewski. When Haglund refused to download suspicious code, the recruiter insisted: “We follow a structured hiring process, and the video assessment is a key part of our evaluation to ensure consistency and fairness for all candidates.”

Haglund cut off contact. But others weren’t as fortunate.

A U.S. crypto product manager (anonymous) fell victim after completing a video “assessment” for a recruiter impersonating Ripple Labs. Hours later, he discovered that $1,000 worth of Ether and Solana had been drained from his wallet. The LinkedIn profile of the supposed recruiter had already vanished.

Consultant Ben Humbert faced a similar scheme on LinkedIn with a recruiter claiming ties to Kraken. Asked to complete a “virtual interview” through a suspicious link, Humbert became suspicious and terminated the process.

Crypto Companies Respond

Robinhood confirmed awareness of an impersonation campaign earlier this year and said it disabled domains linked to the scam. LinkedIn stated that the fake recruiter accounts flagged by Reuters had already been “previously actioned,” while Telegram said it actively weeds out scams.

Kraken’s chief security officer, Nick Percoco, said impersonations are common: “Every day there’s something going on.”

Operation “Contagious Interview”

Cybersecurity firms SentinelOne and Validin attributed the campaign to a North Korean group previously identified by Palo Alto Networks as “Contagious Interview.” Their conclusion was based on IP addresses and emails linked to past North Korean hacking activity.

Researchers even uncovered exposed log files revealing the emails and IPs of over 230 targets—including coders, influencers, consultants, and executives—between January and March. Reuters contacted all of them, and 19 confirmed they had been targeted.

“This is just a fraction,” said Aleksandar Milenkoski, senior researcher at SentinelOne. “They’re like a typical scam group. They go for breadth.”

Difficult to Police

Percoco added that Kraken has tracked fake recruiting scams since late last year, with reports continuing into May. The company monitors for fake recruiter profiles but acknowledged limitations: “Anybody out there can say they’re a recruiter.”

Pyongyang has consistently denied involvement in cryptocurrency theft.