In the shadowy world of cyber threats, few groups are as notorious as North Korean hackers, known for their sophisticated and deceptive tactics. Today, we’re diving deep into their latest schemes with Rupert Marais, our in-house security specialist. With years of expertise in endpoint security, cybersecurity strategies, and network management, Rupert is uniquely positioned to unpack the intricacies of these state-sponsored attacks. Our conversation explores the alarming trend of fake job interviews targeting the cryptocurrency industry, the cunning methods used to trick victims, and the broader social engineering tactics employed by these threat actors. Join us as we uncover the mechanisms behind these attacks and what they mean for the future of cybersecurity.
Can you walk us through the recent wave of attacks by North Korean hackers using fake job interviews to target individuals?
Absolutely. Between January and March 2025, we saw a significant campaign where at least 230 individuals were targeted, though the actual number could be much higher. These hackers pose as recruiters, offering enticing job roles in the cryptocurrency space, like Portfolio Manager or Senior Product Manager. Their focus is heavily on people connected to blockchain and crypto technologies, as these industries often handle valuable digital assets that are prime targets for theft or exploitation.
What can you tell us about the Contagious Interview campaign and the specific techniques these hackers use to deceive their victims?
The Contagious Interview campaign, which kicked off in 2022, is a prolonged effort by these threat actors to lure victims into their traps. One of their key methods is the ClickFix technique, which surfaced prominently in early 2025. Essentially, after engaging a victim with a fake job offer, they direct them to a malicious website for a supposed skill assessment. Once there, the site displays a fake error message that tricks the user into copying and pasting commands into a command line window, which then installs malware on their system. It’s a clever ruse that exploits trust and curiosity.
How do these hackers go about setting up their fake websites to make these attacks so convincing?
They’ve gone to great lengths to create dozens of counterfeit websites—research suggests at least 184 distinct invitations were sent out. These sites often mimic well-known companies in the finance and crypto sectors, like Archblock, Robinhood, and eToro. When a victim visits one of these sites under the guise of a job interview or assessment, they’re unknowingly exposing their system to malware. The design and branding are often polished enough to fool even cautious individuals, which makes this tactic particularly dangerous.
What steps have these hackers taken to avoid detection and stay under the radar of cybersecurity experts?
Since March 2025, they’ve been actively monitoring cyber threat intelligence data about their own infrastructure. They’ve been observed using platforms like VirusTotal and Maltrail to check if their tools or domains have been flagged. Interestingly, they haven’t made sweeping changes to their setups, likely due to internal constraints or a belief that minimal tweaks are enough to evade detection for now. It’s a cat-and-mouse game where they’re constantly probing for weaknesses in our detection methods.
Beyond fake job interviews, what other social engineering tactics have North Korean hackers used to target the decentralized finance sector?
They’ve been quite versatile. One common approach is posing as employees of investment firms on messaging platforms like Telegram. In a notable case documented by researchers, they exploited a Chrome zero-day vulnerability to gain persistent access to a DeFi organization’s network. They infected an employee’s device and used a range of tools—like keyloggers, screenshot utilities, and backdoors such as PondRAT and later RemotePE—to maintain control and extract sensitive data. It shows how they adapt their methods to the target environment.
How do you think these hackers coordinate their operations behind the scenes to pull off such complex attacks?
From what researchers have pieced together, it appears they rely on platforms like Slack to organize their efforts and operate in coordinated teams. They’re also meticulous about testing new infrastructure before deploying it in live attacks. This evaluation process helps them ensure their systems are secure and less likely to be detected early on. It’s a structured approach that reflects a high level of planning and discipline, which is part of what makes them so effective.
Looking ahead, what is your forecast for the evolution of these state-sponsored cyber threats, particularly from groups like North Korean hackers?
I expect these threats to become even more sophisticated and personalized. As defenses improve, these actors will likely lean harder into social engineering, crafting highly tailored attacks that exploit individual behaviors and trust. We might see them branching into new industries beyond crypto, targeting emerging tech sectors where security practices are still maturing. The use of zero-day exploits and advanced malware will probably increase, too. It’s a reminder that staying ahead requires not just technical defenses, but also educating people to recognize and resist these manipulative tactics.
