Cryptocurrency experts are warning that the industry is now under constant attack by North Korean hackers, who have become highly proficient at tricking crypto owners and blockchain technicians into giving up valuable information with elaborate “social engineering” schemes.
“Social engineering” is a broad term for the methods hackers employ to lure their victims into downloading malware, or disclosing crucial information like their user names and login credentials.
Major computer networks have become fairly resistant to “brute-force” hacking, so intruders find it necessary to steal legitimate user names and passwords from unwitting victims, or trick them into installing virus programs on their computers. Most of the headline-grabbing cybercrimes of recent years have involved some form or social engineering, such as the ubiquitous “phishing” technique, which tricks victims into responding to realistic-looking emails or downloading virus-laced attachments.
Reuters on Thursday interviewed 25 cryptocurrency experts, corporate representatives, and victims of cybercrime who said North Korean hackers have grown relentless in their efforts to steal digital currency. The attacks have grown significantly more sophisticated and effective over the past year.
“It happens to me all the time and I’m sure it happens to everybody in this space. It’s scary how far they’ve come,” said business development executive Carlos Yanez of blockchain analytics firm Global Ledger.
The FBI posted an alert on Wednesday warning that North Korea is “conducting highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.”
“North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months,” the FBI warned.
“This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial product,” the alert added.
The FBI said teams of North Korean “malicious cyber actors” scout dozens of employees at targeted crypto companies, reviewing their “social media activity, particularly on professional networking or employment-related platforms.”
This research enables the hackers to “incorporate personal details regarding an intended victim’s background, skills, employment, or business interests” into tailored social engineering attacks, especially phony job offers. The hackers often use “realistic imagery” of individuals and “time-sensitive events,” harvested from publicly available resources online, to make their scams look realistic.
The FBI pointed to a list of 17 North Korean domains seized by the Department of Justice (DoJ) in 2023 for examples of how convincing the fake recruiting websites can be. Victims are approached with carefully-tailored messages on platforms like LinkedIn or Telegram from phony “recruiters” claiming to represent major firms looking to “expand their teams.” The fake recruiters convincingly pretend to be real people whose identities can be confirmed with a bit of online research.
After hooking their victims with offers of lucrative compensation, the hackers direct them to take a fake “skills test” on a suspicious website and upload an introductory video of themselves. The video supposedly had to be created with a special program the victims were instructed to install on their computers.
Some crypto techs told Reuters that this stage of the “recruiting” process made them suspicious, because shadow websites from obscure domains were used for the “skills tests” or to “expedite the process” of hiring. Furthermore, there is no good reason to download a special program to record a video in the Year of Our Lord 2025, when so many well-established and secure video messaging platforms are available.
Unfortunately, some of the cryptocurrency workers who spoke to Reuters admitted they went ahead with the process, believing they were being headhunted by reputable recruiters for top-shelf firms. They soon found thousands of dollars of cryptocurrency had vanished from their digital wallets, or their systems had been raided for contact information that could be used in future social engineering attacks.
Fake recruiting scams have become such a problem in the industry that some big online finance companies, like Robinhood and Kraken, have issued warnings about fraudulent recruiters and asked for outsiders to report impersonators.
The FBI advised job seekers to be on the lookout for unusual “pre-employment test” requirements, unrealistic compensation offers, and “insistence on using non-standard or custom software to complete simple tasks” as warning signs of a scam.
“Every day there’s something going on,” Kraken chief security officer Nick Percoco sighed to Reuters. “Anybody out there can say they’re a recruiter.”
Some cybersecurity firms believe a single North Korean hacking unit is responsible for most of the recruiting scams. Sentinel Labs identified the threat as “Contagious Interview,” a cluster of tightly coordinated hacker teams that has grown so rapacious that it scarcely bothers to conceal its activities.
Contagious Interview has the resources to immediately replace every domain seized by law enforcement, and it makes only “limited changes” to its methods when it gets caught. One reason Sentinel Labs was able to accumulate so much intelligence about the threat is that Contagious Interview doggedly insisted on using the same platform to create email addresses, so it was not difficult to monitor their activities.
According to Sentinel Labs, this one group targeted at least 230 victims in the first quarter of 2025, and the true number is probably “significantly higher,” because some of the victims may not have come forward. One reason for this frenzy of activity is that North Korea’s government has reportedly set annual earnings quotas for its hacking teams.
