North Korean hackers are increasingly targeting cryptocurrency professionals with elaborate fake job offers, according to new research and interviews with victims. Cybersecurity firms SentinelOne and Validin, which tracked the campaign, say the scams involve bogus recruiters contacting applicants through LinkedIn or Telegram before leading them to download malicious software disguised as skills tests. The practice, known in the industry as “Contagious Interview,” is part of Pyongyang’s broader campaign to steal digital assets that finance its sanctioned weapons program.
Victims describe highly convincing recruitment processes that mimic real corporate hiring procedures. Recruiters claim to represent major firms such as Bitwise, Ripple Labs, or Robinhood, and after initial exchanges, ask applicants to complete video assessments using suspicious links or applications. Several targets who complied later discovered their cryptocurrency wallets had been drained. One U.S.-based product manager lost $1,000 worth of ether and Solana, while others narrowly escaped after growing suspicious.
The sophistication of the scams has increased sharply over the past year, experts warn. “It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez, an executive at blockchain analytics firm Global Ledger, noting the growing quality of North Korean impersonations. Researchers discovered exposed log files showing more than 230 professionals — from developers to consultants — were targeted in just the first quarter of 2025. Analysts believe this represents only a fraction of the full operation.
Global losses from such scams are difficult to calculate, but blockchain intelligence firm Chainalysis estimates that North Korean hackers stole at least $1.34 billion worth of cryptocurrency last year through a mix of exchange hacks, phishing, and fake job schemes. The U.S. FBI and United Nations monitors have repeatedly accused Pyongyang of using these funds to bankroll its missile and nuclear programs, charges the country routinely denies. Companies like LinkedIn, Telegram, and Robinhood say they are actively taking down fraudulent accounts, but admit policing impersonators remains difficult.
Cybersecurity experts say the campaign highlights how vulnerable the fast-growing crypto sector remains to social engineering. “They’re like a typical scam group — they go for breadth,” said Aleksandar Milenkoski of SentinelOne. Kraken’s chief security officer Nick Percoco confirmed his company has seen waves of fraudulent recruiting attempts since late 2024, adding that scammers exploit the openness of online hiring. “Anybody out there can say they’re a recruiter,” he said, warning job seekers to remain vigilant as North Korea’s hacking tactics continue to evolve.
