Hackers Use Fake Crypto Firms To Spread Malware In Job Scams - 1

Image by Nubelson Fernandes, From Unsplash

Hackers Use Fake Crypto Firms To Spread Malware In Job Scams

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

North Korean hackers are posing as crypto firms, tricking job seekers into downloading malware that steals wallet credentials during fake interviews.

In a rush? Here are the quick facts:

  • Malware disguised as coding tests stole victims’ crypto wallet credentials.
  • AI-generated profiles made fake companies appear credible.
  • Attacks were spread through GitHub and freelance platforms.

Security researchers at Silent Push have uncovered a new cyberattack campaign orchestrated by the North Korean hacking group known as Contagious Interview, also referred to as Famous Chollima.

The group is operating three fraudulent cryptocurrency companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to deceive job seekers into installing malware .

The scheme begins with fake job postings on freelance and recruitment websites, targeting individuals seeking roles in the cryptocurrency industry . When applicants respond, they are asked to download files allegedly containing interview materials or coding challenges.

These files, however, deliver malicious software identified as BeaverTail , InvisibleFerret, and OtterCookie. The malware is designed to steal sensitive data, including cryptocurrency wallet credentials.

To bolster the scam’s credibility, the hackers create fake employee profiles using AI-generated images. Some of these headshots were produced with Remaker AI, a tool designed to fabricate realistic portraits.

The three fraudulent companies—BlockNovas, Angeloper, and SoftGlide—present themselves as legitimate businesses, but their primary purpose is to distribute malware. Victims are misled into executing malicious code during what they believe to be technical assessments or interviews.

The hackers rely on platforms such as GitHub, freelancer marketplaces, and job boards to distribute the malware and manage their operations.

The attack strategy aligns with a pattern seen in past operations by Contagious Interview, a subgroup of the North Korean state-backed Lazarus team. Known for using fake job offers and AI-generated personas, Lazarus leverages residential proxies and VPNs to mask its location while targeting individuals globally.

To protect against such attacks, experts advise job seekers to be wary of any offers that require downloading unknown files or executing code. It is also essential to verify the legitimacy of companies before engaging in interviews and to use up-to-date security software.

One developer recounted their experience: “I wanted to share how my MetaMask wallet was hacked yesterday as a cautionary tale.”

“I received a new project through Freelancer.com. The client had a ‘payment verified’ badge, so I assumed they were legitimate. The project involved web3 backend development, which I was confident I could handle,” he continued.

“After accepting the contract, the client invited me to their GitLab project and asked me to run their backend code. Soon after running it, I realized that my MetaMask wallet had been compromised,” the developer warned.

Hackers Target Caritas Charity Sites - 2

Image by Boitumelo, from Unsplash

Hackers Target Caritas Charity Sites

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A cyberattack hit 17 websites of Caritas Spain, a major Catholic charity, compromising donor card data for more than a year without detection.

In a rush? Here are the quick facts:

  • Attackers used fake donation forms to steal donor card data.
  • The sites used WooCommerce, a popular WordPress plugin.
  • Over 60 fake domains supported the attack’s infrastructure.

The attackers used a method called web skimming, where malicious code is inserted into a website to steal sensitive information from users. In this case, the skimmer created a fake donation form that mimicked the real one and silently captured personal and payment data including names, addresses, card numbers, CVV, and more.

“This campaign reinforces a broader trend that has been observed: web skimming infections are increasingly driven by modular kits,” researchers at Jscrambler who flagged the hack wrote . These kits allow hackers to easily mix different tools and channels to deliver and collect stolen data.

The researchers say that the infected websites were all powered by WooCommerce, a popular plugin for online payments on WordPress. The attack had two parts: first, a tiny piece of hidden code was injected into the site’s homepage to contact the hackers’ server.

Then, the second-stage script added a fake “Continue” button over the real one. Once users clicked it, they were shown a counterfeit online payment form, designed to look like the official gateway from Santander bank.

After capturing the data, the form briefly showed a loading spinner before redirecting the donor to the legitimate payment site, making the scam harder to notice.

“It’s especially concerning given the target,” Jscrambler noted. “Caritas is a non-profit dedicated to helping vulnerable communities. Still, attackers were happy to keep their skimming operation going […] for over a year.”

The infection was first discovered on March 16, 2025, and the affected websites were eventually taken offline for maintenance in early April after Jscrambler reached out.

By April 11, the malicious code was finally removed. However, the hackers had shifted tactics in the meantime, altering the script to avoid detection.

Researchers also found signs that this group targeted other websites too, using over 60 fake domains to distribute and collect data. Many of these were hosted under the same IP, pointing to a centralized setup. Jscrambler reports that Caritas has not released an official statement about the breach.