North Korean Hackers Use Fake Crypto Companies to Spread Malware

Cybersecurity researchers have uncovered a new evolution in North Korean cyber operations, revealing that threat actors are setting up front companies to deliver malware during fake job interview processes. The campaign, dubbed Contagious Interview, demonstrates the increasing sophistication and deception employed by the Democratic People's Republic of Korea (DPRK) in targeting cryptocurrency and blockchain sectors.

A Deceptive Front: Fake Crypto Companies

According to a deep-dive analysis by Silent Push, three fake cryptocurrency consulting firms have been identified as being part of this new campaign:

• BlockNovas LLC (blocknovas[.]com)

• Angeloper Agency (angeloper[.]com)

• SoftGlide LLC (softglide[.]co)

These entities serve as vehicles to lure job seekers into malware infection traps disguised as job interviews. Once trust is established, the fake companies distribute malware under the guise of coding assessments or technical challenges.

Malware Payloads: BeaverTail, InvisibleFerret, and OtterCookie

The threat actors use multiple malware families as part of their infection chain:

• BeaverTail: A JavaScript-based stealer and loader.

• InvisibleFerret: A Python backdoor capable of persisting on Windows, macOS, and Linux systems.

• OtterCookie: Delivered selectively during certain infection chains via the same JavaScript payload.

After initial compromise, BeaverTail contacts an external server (lianxinxiao[.]com) to download further payloads, including InvisibleFerret, which enables data theft, reverse shells, and file exfiltration. In some cases, compromised systems have also seen unauthorized installation of AnyDesk remote access software.

Broader Infrastructure and Methods

Silent Push’s investigation uncovered a broader infrastructure supporting these campaigns:

• Status Dashboards hosted on BlockNovas' subdomains for monitoring operational domains.

• Hashtopolis password cracking systems running on BlockNovas infrastructure.

• Kryptoneer Tool on attisscmo[.]com, allowing wallet interactions with popular crypto wallets such as Suiet Wallet and Sui Wallet.

The use of fake personas, fabricated employee profiles, and fraudulent social media accounts across platforms like LinkedIn, GitHub, Medium, and X, further highlights the effort to appear legitimate.

Law Enforcement Response

As of April 23, 2025, the U.S. Federal Bureau of Investigation (FBI) seized the BlockNovas domain as part of an ongoing crackdown on DPRK-affiliated cyber operations targeting individuals through fraudulent job postings.

Advanced Social Engineering Tactics

This campaign mirrors previously observed patterns in Contagious Interview and similar job-themed scams like:

• DeceptiveDevelopment

• Famous Chollima

• DEV#POPPER

A new dimension involves the use of GenAI-based tools for enhancing deception:

• Remaker and other AI applications generate realistic profile pictures.

• AI services are used to transcribe interviews, translate conversations, and manage multiple candidate personas.

According to Okta, this adoption of AI allows DPRK operatives to efficiently schedule interviews, impersonate multiple applicants, and bypass traditional identity verification processes.

Operational Footprint and Regional Connections

The investigation also revealed that the attackers use Russian IP ranges—specifically from regions near the North Korea-Russia border such as Khasan and Khabarovsk—to mask their activities. These connections hint at possible infrastructure sharing between North Korean and Russian entities.

Threat telemetry suggests that some North Korean operatives are physically located in China, Russia, and Pakistan, using Russian-based VPS servers and RDP tunnels to access recruitment platforms and cryptocurrency services.

Conclusion: A Growing Threat to Web3 and Crypto Sectors

The DPRK’s strategy of blending social engineering, malware, and AI-enhanced deception poses a significant risk to the Web3 and cryptocurrency ecosystems. Organizations must remain vigilant:

• Verify recruiter legitimacy carefully.

• Implement endpoint protection against malware downloads.

• Train employees to recognize sophisticated phishing and job scam tactics.

The evolution of campaigns like Contagious Interview signals that human-centric attacks will remain a primary vector for state-sponsored threat actors targeting financially lucrative industries.