A widespread and sophisticated social engineering campaign, attributed to North Korean state-sponsored hackers, is systematically targeting individuals within the cryptocurrency industry through fake job offers. This strategy has become so pervasive that professionals in the sector now routinely vet recruiters to avoid falling victim.

The Scale and Impact of the Campaign
According to interviews with twenty-five experts, victims, and corporate representatives, these fraudulent recruitment efforts are ubiquitous. The hackers' tactics have evolved significantly, with the quality of their masquerades showing marked improvement in the past year, making them increasingly difficult to detect.

While the exact amount stolen via this specific method is unknown, North Korean hackers are believed to have stolen an estimated $1.34 billion in cryptocurrency in the past year alone. U.S. and United Nations monitors allege these funds are used to support Pyongyang's sanctioned nuclear and ballistic weapons programs.

The Attack Methodology: "Contagious Interview"
The campaign, tracked by cybersecurity firms SentinelOne and Validin and previously identified as "Contagious Interview" by Palo Alto Networks, follows a detailed playbook:

• Initial Contact: Posing as recruiters for legitimate companies like Kraken, Ripple Labs, Bitwise, and Robinhood, the hackers initiate contact via professional networks like LinkedIn or messaging apps like Telegram.
• The Pitch: They present a credible job opportunity, often for a blockchain-related role, and engage in detailed discussions about compensation and responsibilities to build trust.
• The Trap: Instead of a live video interview on a standard platform like Zoom, the "recruiter" insists the candidate complete a "skills test" or record a video using a custom, obscure website. This site is designed to deliver malicious code.
• Theft: Once the victim downloads and runs the provided code, it compromises their system, often leading to the theft of cryptocurrency from connected digital wallets.

Evidence and Attribution
Researchers attribute the campaign to North Korea based on several factors, including the use of internet protocol (IP) addresses and email accounts linked to previous known North Korean hacking activity. A critical piece of evidence was log files, accidentally exposed by the hackers themselves, which contained the email and IP addresses of over 230 targeted individuals between January and March. The targets spanned a wide range of professions, including coders, executives, marketers, and consultants.

Industry Response and Challenges
Affected companies have acknowledged the problem. A Robinhood spokesperson confirmed awareness of the impersonation campaign and stated they had taken action to disable associated scam domains. LinkedIn stated that the fake accounts identified had already been "actioned" (removed).

However, policing this activity is challenging. As Nick Percoco, Chief Security Officer at Kraken, noted, "Anybody out there can say they’re a recruiter." His company actively searches for phony accounts but also relies on reports from external candidates who encounter suspicious activity.

The consensus among researchers is that the identified victims represent only a tiny fraction of those targeted, indicating a highly broad and aggressive campaign. This approach reflects a strategy of casting a wide net to maximize their chances of success, underscoring the persistent and evolving threat North Korean hackers pose to the cryptocurrency ecosystem.