North Korean Hackers Target Crypto Pros With Fake Job Offers

How the Scam Works

The attackers create fake recruiter profiles on LinkedIn, complete with AI-generated photos and bogus company websites for firms like BlockNovas LLC and Angeloper Agency. They reach out to professionals in finance, IT, and software development with seemingly legitimate job opportunities.

After initial contact, the fake recruiters guide candidates through a realistic interview process. The final step asks targets to complete a coding test by downloading files from GitHub repositories. These files appear to be normal Microsoft Visual Studio Code projects but actually contain malware.

The Malware

Jamf Threat Labs identified two main malware payloads hidden in the coding tests:

BeaverTail: A JavaScript-based tool that steals information from infected computers

GolangGhost: A backdoor written in Go that gives hackers remote access to the victim’s system

The campaign concentrated on victims in South Asia and North America, though attacks occurred across ten countries.

Why It’s Particularly Dangerous

“Going after job seekers gives North Korean actors a huge advantage,” explained Kenneth Kinion, CEO of Validin. “Instead of trying to slip past an employer’s defenses, they take over the entire hiring process and make it feel completely legitimate to individuals.”

The risk multiplies when candidates use work computers for these coding challenges. Recorded Future noted that “in several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target.”

This means a single compromised employee could give hackers access to their entire company’s network—and potentially to that company’s clients as well.

The Money Behind the Attacks

North Korean hacking operations are financially motivated to support the regime. According to blockchain analysis firm Chainalysis, North Korean hackers stole $2.02 billion in cryptocurrency in 2025 alone, bringing their total haul to $6.75 billion.

These stolen funds are widely believed to finance North Korea’s nuclear and missile development programs.

Researchers also found tactical overlaps between PurpleBravo and another North Korean operation called Wagemole, where IT workers use stolen identities to get jobs at real companies.

What We Don’t Know

While the report confirmed at least 20 victim organizations, their names haven’t been publicly disclosed. The specific financial losses from the PurpleBravo campaign haven’t been calculated, and the full scope of potential supply chain compromise affecting clients of targeted firms remains unclear.

How to Protect Yourself

Security experts recommend these precautions during job searches:

For job seekers:

• Never download coding tests or files on your work computer
• Verify company legitimacy through official websites and LinkedIn corporate pages
• Be suspicious of recruiters who push GitHub downloads early in the process
• Check if recruiter photos are AI-generated using reverse image search
• Insist on video calls before downloading any files

For companies:

• Implement mandatory video interviews with identity verification
• Deploy tools that detect AI-generated images in applicant materials
• Monitor development environments for suspicious code execution
• Restrict what employees can download on corporate devices
• Educate staff about job scam tactics

The Bigger Picture

This campaign shows how state-sponsored hackers are blurring the lines between cybercrime and traditional espionage. By exploiting the trust inherent in job applications and using legitimate platforms like LinkedIn and GitHub, they bypass many standard security measures.

The supply chain risk is particularly concerning. A compromise at one targeted company could expose data from hundreds of their clients, creating cascading security breaches across entire industries.

Security researchers expect these tactics to become more sophisticated as AI tools improve, making fake recruiters and companies increasingly difficult to detect.