North Korean hackers are targeting cryptocurrency experts with fake job offers, tricking them into handing over access to their digital wallets in a sophisticated scam that’s draining millions. Known as “Contagious Interview,” this scheme sees cybercriminals pose as recruiters from trusted crypto firms like Ripple and Kraken, using LinkedIn and Telegram to lure victims with dream jobs. As the crypto world grapples with this growing threat, Chain Focus investigates how these hackers are exploiting trust to fund Pyongyang’s illicit activities.
The scam starts innocently enough. A message offering a high-paying role in blockchain development or project management. The “recruiter” engages in polished back-and-forth, arranging interviews and skills tests. But there’s a catch. Candidates are directed to unfamiliar websites or asked to download software for a video assessment. These are traps, loaded with malware that steals cryptocurrency from victims’ wallets. One U.S. crypto manager, speaking anonymously, lost $1,000 in ether and Solana after uploading a video for a supposed Ripple job. By the time he noticed, the recruiter’s LinkedIn profile had disappeared.
Cybersecurity firms SentinelOne and Validin, in a new report, uncovered over 230 targets hit between January and March 2025. Blockchain intelligence firm Chainalysis estimates North Korean hackers stole $1.34 billion in crypto last year, with the FBI and UN linking these thefts to Pyongyang’s weapons programs. Unlike their brazen exchange hacks, like February’s $1.5 billion ByBit breach, this scam relies on deception, exploiting the industry’s demand for talent.
Victims describe the hackers’ chilling expertise. Carlos Yanez, a blockchain executive at Global Ledger, narrowly avoided a hack but was struck by the scam’s professionalism. “It’s scary how good they are,” he said. Stockholm entrepreneur Olof Haglund grew wary when a “Robinhood recruiter” pushed a suspicious video test and ended the conversation. Others weren’t so lucky, with losses piling up as hackers vanish without a trace.
Crypto firms are fighting back. Kraken’s security chief, Nick Percoco, said fake recruiter accounts surged late last year, with reports continuing into 2025. Robinhood and LinkedIn have shut down fraudulent domains, but the hackers adapt quickly. “Anyone can claim to be a recruiter,” Percoco noted, highlighting the challenge of stopping impersonators.
Stay with Chain Focus for the latest on crypto threats and how to stay safe.
