Experts in cryptocurrency are sounding the alarm about ongoing attacks from highly skilled North Korean hackers. These cybercriminals excel at using “social engineering” tactics to deceive crypto owners and blockchain professionals into revealing sensitive information.
So, what do we mean by “social engineering”? Essentially, it’s a broad term for tactics that hackers use to persuade victims to download malicious software or to disclose critical details like usernames and passwords.
As major computer networks have become tougher to crack via brute force methods, hackers are increasingly opting to steal legitimate usernames and passwords from unsuspecting individuals. This approach has escalated in recent years, often involving social engineering methods like phishing, where attackers send seemingly legitimate emails that lead to malware-laden attachments.
According to an interview with 25 cryptocurrency experts, corporate representatives, and cybercrime victims, reported by Reuters, North Korean hackers have stepped up their efforts to siphon off digital currency. These attacks have become more sophisticated and effective over the last year.
One blockchain analytics executive, Carlos Yanez, expressed concern: “It seems like it happens to me all the time, and frankly, I think it could happen to anyone in this sector. It’s a bit frightening to think about how far they might go.”
The FBI also issued a warning recently, indicating that North Korea is executing highly customized social engineering campaigns specifically targeting employees in decentralized finance and cryptocurrency sectors, aiming to deploy malware and steal digital assets.
The FBI’s alert stated that a group of North Korean cyber actors has been researching various targets, focusing particularly on cryptocurrency exchange traded funds (ETFs). This indicates a possible upcoming wave of cyberattacks directed at cryptocurrency-related financial entities.
As part of their strategy, the FBI noted that these hackers had investigated numerous employees from targeted cryptocurrency companies, examining their social media activity, particularly on professional platforms like LinkedIn.
This kind of research allows them to tailor personal information to deceive their targets effectively. They often leverage realistic images and timely events pulled from publicly available resources to create a facade of legitimacy.
The FBI revealed a list of 17 domains seized by the Department of Justice in 2023, showcasing the credibility of the fraudulent recruitment websites they use. Victims are approached with finely crafted messages from supposed recruiters claiming to represent well-known companies looking to grow their teams.
Once hooked with attractive job offers, victims are subjected to a fake “skill test” and are instructed to upload introductory videos on a dubious site that requires them to install potentially harmful software.
Some cybersecurity professionals have raised questions about this recruitment phase, stating that such practices should raise red flags. After all, credible recruiters in this day and age have numerous reliable video messaging platforms they can utilize without requiring custom software installations.
Regrettably, some cryptocurrency professionals interviewed by Reuters admitted to falling for these schemes, believing they were being recruited by reputable headhunters. They ultimately found that thousands of dollars in cryptocurrency had vanished from their wallets, leaving their personal information vulnerable for future attacks.
The issue has become so prevalent that major online finance firms like Robinhood and Kraken have issued warnings about fraudulent recruiters and encouraged their users to report suspicious impersonation attempts.
The FBI advises job seekers to be wary of unusual requirements for “pre-employment tests,” unrealistic compensation offers, and demands for completing simple tasks with non-standard software—these could all be signs of a scam.
Nick Percoco, Kraken’s CEO, conveyed the pervasive nature of the issue, stating, “There’s something happening every day. Anyone can claim to be a recruiter.”
Some cybersecurity firms believe a specific North Korean hacking group is behind a majority of these fake recruitment scams. Sentinel Labs labeled this threat as “contagious interview,” highlighting a tightly coordinated group of hackers operating without much discretion.
This group has been effective enough to quickly replace seized domains with minimal changes to their methods when caught. Sentinel Labs has managed to gather substantial intelligence on these threats, largely due to the group’s tendency to use identical platforms for their email communications.
According to Sentinel Labs, the number of victims is likely much higher than reported, with one group targeting at least 230 individuals in just the first quarter of 2025, some of whom may not even have reported their experiences. Part of the reason for this surge in activity could stem from annual revenue targets set by the North Korean government for these hacking units.
