Job interviews in the crypto and blockchain industry are becoming more dangerous, as they're increasingly being used to spread malware and steal crypto funds, with the latest example once again tied to North Korea.
Cisco Talos, a threat intelligence research team, said that in May 2025, they found a Python-based remote access trojan (RAT) "PylangGhost," used exclusively by a North Korean-aligned threat actor, Famous Chollima, also known as Wagemole, which is likely made up of multiple groups.
This campaign primarily targets professionals in the crypto and blockchain industry in an attempt to compromise their computer systems and steal funds. According to the researchers, PylangGhost is being used to target Windows users, while a Golang-based version is meant for macOS users.
Criminals from Famous Chollima are said to be pretending to be recruiters who instruct their potential victims to visit skill-testing pages that impersonate major crypto and fintech companies – platforms such as Coinbase, Uniswap, Robinhood, Archlock, and more.
Among the fake job interview websites are krakenhire[.]com, uniswap[.]speakure[.]com, coinbase[.]talenthiringtool[.]com, and others.
Once potential victims answer all the standard-looking recruiting questions, they're asked to record a video and are soon instructed on how to install required video drivers or how to fix issues with the camera or microphone so the video can be recorded.
Once a malicious command line is copied, pasted, and executed, the trojan is launched.
"PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first," Cisco Talos said, adding that "The structure, the naming conventions, and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person."
Meanwhile, in a related story, Mehdi Farooq, partner at crypto venture capital firm Hypersphere, said he lost a "large part" of his life savings after he hopped on a Zoom call with someone he knew.
Farooq said he was asked to update Zoom to fix the audio issue, but when the "fix" was implemented, his laptop was "compromised completely," and six wallets were drained. The partner also noted that later he found the account of the person he knew was hacked, while it remains unclear whether the criminals used deepfakes or recordings of earlier Zoom calls.
"Turns out I was compromised by [Democratic People's Republic of Korea] affiliated threat known as dangrouspassword," Farooq said.
Your email address will not be published. Required fields are markedmarked