Hackers Lure Crypto Professionals Through Fraudulent Job Offers
A new cybersecurity alert has shaken the crypto industry: North Korean hacker group Famous Chollima has been caught targeting job seekers through fake online interviews. According to Cisco Talos researchers, the attackers developed a new remote access trojan (RAT) named PylangGhost, aimed specifically at professionals applying to crypto companies.
These campaigns mimic legitimate hiring processes to trick unsuspecting candidates into installing malware under the pretense of setting up video interviews.
How the Fake Interview Scam Works
The hackers create cloned websites of popular crypto platforms such as Coinbase, Robinhood, and Uniswap. These sites look nearly identical to the real ones. Posing as recruiters, the attackers send candidates test assignments and then schedule interviews. During the fake interview, they instruct applicants to run a command in the terminal, claiming it’s required to install a “video driver.”
In reality, that command downloads and installs PylangGhost, a sophisticated piece of malware that gives full remote access to the victim’s machine.
PylangGhost: A New Trojan with Devastating Capabilities
PylangGhost is written in Python and targets Windows systems, acting as a successor to the earlier macOS-specific GolangGhost trojan. It does not affect Linux systems at this stage.
Once installed, the trojan harvests sensitive data, including browser cookies and login credentials from over 80 browser extensions. Targets include major password managers like 1Password and NordPass, and crypto wallets such as MetaMask, Phantom, TronLink, and Bitski. More alarmingly, the trojan enables persistent remote control, allowing hackers continuous access to infected devices.
Interestingly, analysts noted that the malware code does not appear to be generated using large language models (LLMs), indicating manual development by skilled operators.
India in the Crosshairs
The primary victims of this campaign are crypto professionals in India. Experts believe this is part of North Korea’s larger strategy to infiltrate crypto companies and gather strategic intelligence, in addition to stealing funds from exchanges.
Dilip Kumar, Director at Digital South Trust, warned that India must take immediate action, including mandatory cybersecurity audits for blockchain firms and monitoring fake job portals. He urged national agencies like CERT-In, MEITY, and NCIIPC to strengthen cross-border cooperation and issue public cybersecurity alerts.
Kumar also called for tougher legislation under the Information Technology Act and awareness campaigns to educate users about evolving cyber threats.
Not an Isolated Case
This isn’t the first instance of cyberattacks disguised as hiring processes. In April, Silent Push uncovered that Contagious Interview, a group affiliated with North Korea’s Lazarus Group, had registered three shell companies to distribute malware through similar fake job interviews.
Conclusion: Cybersecurity Awareness Is More Important Than Ever
This campaign is a stark reminder that no one in the crypto space is safe from cyber deception—not even job seekers. As North Korean groups become more creative and aggressive, individuals and companies alike must tighten their security practices, verify job offers rigorously, and stay updated on cyber risks.
Cyber hygiene, vigilance, and regulation are key to protecting the future of crypto innovation.
