North Korean hackers use fake job tests to target crypto developers

North Korean cyber groups have intensified attacks on cryptocurrency developers by distributing malware through fraudulent recruitment tests, according to recent reports from cybersecurity experts and blockchain analysts.

Hackers linked to North Korea, including groups known as Sapphire Sleet and TraderTraitor, have adopted social engineering tactics by posing as recruiters on platforms such as LinkedIn and freelance sites.

These actors entice developers with offers of lucrative jobs or contracts, then send what appear to be coding assignments or pre-employment tests, often hosted on platforms like GitHub.

When unsuspecting developers download and open these files, their systems are infected with malware designed to steal credentials, private keys, and access to wallets or cloud infrastructure.

“The hackers often want to steal developer credentials and access codes,” said Hakan Unal, a senior security lead, targeting sensitive information such as SSH keys, API credentials, and production infrastructure.

“Threat actors pose as clients or hiring managers offering well-paid contracts or tests, particularly in the DeFi or security space, which feels credible to devs,” noted Luis Lubeck, a project manager at Hacken.

These schemes have become more sophisticated, with attackers creating convincing professional profiles and resumes to build trust with their targets.

“After gaining access to the company, the hackers identify vulnerabilities, which ultimately can lead to exploits,” explained Hayato Shigekawa of Chainalysis.

The Federal Bureau of Investigation and blockchain analysts have repeatedly warned about spyware disguised as job offers, noting that North Korean hackers have stolen billions in digital assets over recent years.

In 2024 alone, North Korean cybercriminals accounted for over half of all global cryptocurrency thefts, with more than $1.3 billion stolen in 47 incidents.

Jacob Gadikian, a Cosmos developer, described these hackers as “the world’s most skilled and prolific crypto thieves,” emphasising the persistent threat they pose to the ecosystem.

Security professionals urge developers to verify job offers, avoid running untrusted code, and use virtual machines or sandboxes for testing.

“Be extra cautious with ‘too-good-to-be-true’ gigs, especially unsolicited ones,” Lubeck advised.

As North Korean groups continue to refine their methods, experts stress that operational hygiene and ongoing education are as vital as technical safeguards for protecting digital assets.