North Korean Hackers Target Indian Crypto Job Seekers with Fake Offers and Malware

A North Korean hacking group known as Famous Chollima is targeting crypto industry job seekers in India, according to a new report from Cisco Talos. The group has been using fake job offers and deceptive recruitment websites to trick victims into downloading malware—a method that echoes previous cyber tactics used by other North Korean outfits but with a new twist.

The hackers aren’t stealing from crypto exchanges directly. Instead, they’re going after individuals applying for jobs in the blockchain space, hoping to hijack personal credentials and digital wallets through malicious software.

A New Face in North Korea’s Web3 Cyber Arsenal

While Lazarus Group remains North Korea’s most notorious cybercrime organization—linked to billions in stolen crypto—Cisco says Famous Chollima operates independently. The group has reportedly been active since mid-2024, with a focus on social engineering rather than sophisticated exploits.

Unlike Lazarus, which has previously tried to infiltrate companies like Kraken by posing as job seekers, Famous Chollima takes the opposite route: pretending to be the employer.

Victims are drawn in with fake job listings on cloned or deceptive career portals, often imitating major crypto or tech companies. These listings eventually lead to a staged “interview” process, where applicants are asked to run suspicious command-line instructions under the pretext of installing drivers for the call. In reality, this grants hackers full access to their devices.

Malware Disguised as a Job Interview

The malicious software, dubbed PylangGhost, allows attackers to remotely control infected machines. It extracts browser data, login credentials, and information from over 80 crypto-related extensions including MetaMask, Phantom, and 1Password. The malware essentially turns the victim’s device into an open door for financial and identity theft.

Cisco Talos observed that most affected users are based in India—a growing hub for crypto developers and blockchain talent. Although the malware is unsophisticated compared to Lazarus’ past exploits, the damage can still be significant, especially for users storing digital assets on their personal devices.

Broader Implications and Rising Concerns

Some cybersecurity analysts speculate that operations like this may be part of a broader intelligence-gathering strategy, enabling North Korean hackers to better mimic industry insiders in future campaigns. Others believe these lower-tier teams are just the first wave, used to compromise systems before more advanced groups swoop in for high-stakes theft.

This tiered approach mirrors previous reports from exchanges like BitMEX, which claimed that Lazarus relies on an initial “low-skill” team to gain access before handing over control to a more sophisticated unit.

While these theories remain unconfirmed, the tactic of targeting individuals instead of infrastructure reflects an evolving threat landscape. It underscores just how vulnerable Web3 professionals and job seekers can be.

How to Stay Safe: Tips for Crypto Job Hunters

For those in the crypto space—especially job seekers—basic cybersecurity precautions are more important than ever:

• Avoid running command-line instructions unless verified by trusted sources.
• Use multi-factor authentication (MFA) across all accounts.
• Enable endpoint protection and monitor browser extensions regularly.
• Verify employer domains and application portals before submitting resumes or entering sensitive data.

Job hunting in the crypto industry should not come at the cost of your security. With North Korean cyber teams now targeting individuals, vigilance is no longer optional—it’s essential.