Fake job interviews become a new weapon, North Korean hackers target over 3,100 IPs in the crypto industry

North Korean hacker group PurpleBravo strikes again. After stealing over $2 billion from the cryptocurrency market in 2025, this organization launched a large-scale fake recruitment campaign on January 22, targeting over 3,100 internet addresses related to AI, cryptocurrency, and financial services companies, conducting cyber espionage operations. This time, their entry method is more covert: impersonating recruiters or developers, using fake technical interviews to lure job seekers into executing malicious code on corporate devices.

Fake Recruitment Becomes a New Social Engineering Entry Point

Innovation in Attack Techniques

PurpleBravo’s new attack process appears simple but is highly efficient. The attackers first impersonate recruiters from crypto or tech companies to contact targets. Then, under the guise of a technical interview, they require the targets to complete a series of seemingly reasonable tasks: reviewing code, cloning repositories, or completing programming assignments. While executing these tasks, the victims are actually running carefully crafted malicious code by the hackers.

The cleverness of this method lies in exploiting the psychology of job seekers. The interview tasks seem entirely legitimate, and candidates are often eager to demonstrate their abilities, lowering their guard. For companies, the attacked employees are usually those with certain technical skills, who often have higher system permissions.

Disguise and Infrastructure

According to analysis by security research firm Recorded Future, PurpleBravo employs multiple fake identities, including false Ukrainian personas. They have deployed two main remote access trojan (RAT) tools:

• PylangGhost: capable of automatically stealing browser credentials and cookies
• GolangGhost: also capable of credential theft

Additionally, the hackers developed weaponized Microsoft Visual Studio Code, embedding backdoors through malicious Git repositories. Their infrastructure is quite sophisticated, utilizing Astrill VPN and 17 different service providers to host malicious server infrastructure.

Specific Threats to the Crypto Industry

Why the Crypto Industry Is a Key Target

Among the over 3,100 targets of this attack, a significant proportion are cryptocurrency companies. This is no coincidence. Employees in the crypto sector typically hold high-value assets such as private keys and wallet access rights. Once compromised, hackers can directly transfer funds. Moreover, crypto companies’ defenses are often less mature than those of traditional financial institutions.

From the 20 confirmed victim organizations, they are distributed across South Asia, North America, Europe, the Middle East, and Central America. This indicates that PurpleBravo has clear targets worldwide.

Additional Threat Signals

Security researchers also found that related Telegram channels are selling LinkedIn and Upwork accounts, and attackers have interacted with crypto exchange MEXC. This suggests hackers may be building a complete supply chain: acquiring real identity information, creating fake job profiles, executing attacks, and monetizing stolen assets.

How Enterprises Can Respond

Key Defense Points

For crypto and tech companies, defending against such attacks requires multiple layers:

• Recruitment verification: confirm interview invitations through official channels, use company email addresses instead of third-party emails
• Employee training: educate technical staff about new social engineering tactics, remain vigilant even when tasks seem legitimate
• Code review: strictly scrutinize any external code, avoid executing unreviewed code directly in production
• Access control: restrict employee device permissions, use isolated virtual machines for untrusted tasks
• Monitoring and alerts: deploy Endpoint Detection and Response (EDR) tools to monitor abnormal credential access and network connections

Summary

Fake recruitment interviews represent a new direction in hacker social engineering techniques. Compared to traditional phishing emails, this method is more targeted, exploiting the psychology of job seekers and vulnerabilities in corporate hiring processes. For the crypto industry, PurpleBravo’s ongoing activities indicate that North Korean hackers still view this sector as a primary target. Companies need to recognize that highly skilled employees are often the easiest entry point, and the key to defense lies in establishing comprehensive recruitment verification processes and employee security awareness. Additionally, information sharing and collaborative defense within the industry are becoming increasingly important.