A North Korean hacker group has launched a sophisticated scam targeting crypto developers through fake companies and job interviews, according to a report by Silent Push on April 24. The subgroup, known as Contagious Interview, set up three shell companies — BlockNovas, Angeloper Agency, and SoftGlide — to lure victims into downloading malware. Two of the companies were even registered as legitimate businesses in the United States.

Silent Push senior threat analyst Zach Edwards revealed that these fraudulent firms use hiring websites and fake recruitment portals to attract developers. During the fake job application process, applicants are prompted to fix an error while recording an introduction video, unknowingly downloading malware through a simple click-and-paste trick. The malware strains identified include BeaverTail, InvisibleFerret, and OtterCookie, all designed to steal sensitive information like crypto wallet keys and clipboard data.

The hackers also employed AI-generated images to create fake employee profiles, even modifying stolen real images to appear more convincing. Edwards emphasized the increasing sophistication of impersonation efforts, making it difficult for even experienced users to detect the fraud.

Silent Push reported that at least two developers were confirmed victims, including one whose MetaMask wallet was compromised. Although the FBI has seized the BlockNovas domain, SoftGlide remains active. Several crypto founders have also reported attempts to breach their systems through fake Zoom calls.

The Lazarus Group, the larger North Korean organization behind Contagious Interview, has been linked to some of the most notorious crypto heists, including the $1.4 billion Bybit hack and the $600 million Ronin network breach.