North Korean hackers are flooding the cryptocurrency industry with convincing fake job offers in a bid to steal digital assets, according to new research, raw data, and interviews seen by Reuters.
The scam has become so widespread that job seekers in crypto now routinely check whether recruiters might secretly be working for Pyongyang. Twenty-five experts, victims, and company representatives told Reuters the problem is everywhere.
“It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yangtze, a business development executive at Switzerland-based blockchain analytics firm Global Ledger. Yangtze was recently targeted but managed to avoid being hacked. He told researchers from Sentinel One and Valid in who are publishing a report on the scheme this week that North Korea’s tactics have gotten scarily sophisticated.
Last year alone, North Korean hackers are believed to have stolen at least $1.34 billion in cryptocurrency, according to blockchain intelligence firm Chainalysis. The U.S. government and United Nations have both accused Pyongyang of funnelling these funds into its sanctioned weapons program.
The Scam in Action
The FBI already warned last year that North Korea was “aggressively” targeting the crypto sector with elaborate social engineering scams. Reuters reporting now reveals exactly how these attacks unfold.
Step one: a recruiter reaches out via LinkedIn or Telegram with a blockchain-related job pitch.
One such message, sent to Victoria Perepel in January, appeared to come from Bitwise Asset Management: “We are currently expanding our team… We are particularly looking for individuals who are passionate about cryptocurrency markets.”
Next, applicants are pushed to take a skills test or record a video using suspicious websites or software. That’s where many victims realized something was off.
Machine learning entrepreneur Olof Haglund grew skeptical when a recruiter claiming to be from Robinhood insisted he download software to record his “interview.” Haglund refused and ended the chat.
But others weren’t so lucky. A U.S.-based crypto product manager, speaking anonymously, said he went along with a supposed Ripple Labs recruiter’s request. Hours later, $1,000 worth of ether and Solana vanished from his wallet. By then, the recruiter’s LinkedIn profile had disappeared.
In another case, consultant Ben Humbert was approached on LinkedIn by someone posing as a Kraken recruiter. The scammer asked him to complete a “virtual interview” via a shady link. Humbert grew suspicious and cut contact before losing money.
Companies Fight Back
Ripple and Bitwise did not respond to requests for comment. Robinhood confirmed that scammers had impersonated crypto firms earlier this year and said it disabled linked web domains. LinkedIn said the fake accounts had been “previously actioned,” while Telegram said it actively removes scams when detected.
Researchers believe the attacks are part of a North Korean operation dubbed “Contagious Interview” by cybersecurity company Palo Alto Networks. SentinelOne and Validin tied the campaign to North Korea using IP addresses and emails previously linked to the country’s hackers.
Their investigation also uncovered exposed log files showing the personal details of more than 230 people including coders, executives, consultants, and influences who were targeted between January and March. Nineteen confirmed to Reuters that they had indeed been approached.
“This is typical in the crypto space. Every day there’s something going on,” said Nick Percoco, chief security officer at Kraken.
Growing and Hard to Stop
North Korea’s mission to the United Nations did not respond to requests for comment, but Pyongyang has consistently denied involvement in cryptocurrency thefts.
Experts warn that the scams seen so far may just be a fraction of the overall campaign. Aleksandar Milenkoski, a senior researcher at SentinelOne, said North Korean hackers behave like a “typical scam group” by going for sheer scale.
Kraken, for instance, began noticing fake recruiting scams late last year. Reports kept coming in through March, April, and May. But Percoco admitted it’s difficult to stop impersonators.
“Anybody out there can say they’re a recruiter,” he said.
