Hackers steal cryptocurrency using fake job offers report reveals

A recent investigation reveals that North Korean hacking groups are using elaborate fake job offers to steal cryptocurrency from blockchain professionals and investors. The scams, identified in a joint report by cybersecurity firms SentinelOne and Validin, include posing as recruiters for major crypto companies and directing applicants to download malicious software or complete video assessments on obscure platforms.

North Korean hackers exploit job offers to infiltrate the crypto space

The campaigns are part of a broader North Korean effort to fund its sanctioned weapons programs, according to allegations from the United States and United Nations. Blockchain intelligence company Chainalysis estimates North Korean hackers stole more than $1.3 billion in cryptocurrency in 2024, though losses from this latest scam tactic are not yet quantified.

How the scams work

Hackers typically approach their victims through LinkedIn or Telegram, presenting themselves as recruiters for well-known cryptocurrency exchanges or blockchain companies. Victims are then asked to complete coding assessments or record video interviews through unfamiliar software, which often serves as a delivery mechanism for malware.

In one case, Stockholm-based entrepreneur Olof Haglund was approached by a person claiming to be a recruiter from Robinhood. After refusing to install third-party software, he ended the interaction, avoiding potential theft. Others were not so fortunate, including a U.S.-based product manager who later discovered $1,000 in cryptocurrency missing from his wallet.

Cybersecurity experts describe the campaign as a “broad-based attack,” with hackers targeting executives, developers, consultants, and marketers. “They’re like a typical scam group,” said SentinelOne researcher Aleksandar Milenkoski. “They go for breadth.”

Industry response to recruitment scams

Several companies have responded to the findings. Robinhood confirmed awareness of impersonation attempts and reported taking down associated domains. LinkedIn stated that the fake recruiter accounts identified in this investigation had been removed, while Telegram confirmed ongoing efforts to remove scams from its platform.

Kraken’s Chief Security Officer, Nick Percoco, said the company began receiving reports of fake recruiter scams late last year. “Anybody out there can say they’re a recruiter,” he said, noting the challenges of policing impersonation at scale.

The surge in scams highlights how hackers steal cryptocurrency using fake job offers report reveals, putting blockchain professionals and crypto investors on alert

The SentinelOne and Validin investigation, which analyzed log files inadvertently exposed by the hackers, linked the activity to a North Korean campaign dubbed “Contagious Interview” by Palo Alto Networks. Researchers identified over 230 targeted individuals between January and March 2025, suggesting that the scheme is a subset of a much larger cryptocurrency theft operation.

North Korea’s mission to the United Nations did not respond to requests for comment, and Pyongyang has consistently denied involvement in cryptocurrency theft.

Rising risks for blockchain professionals

This trend highlights the increasing risks facing professionals in the blockchain industry, where the decentralized nature of crypto makes recovering stolen funds challenging. Companies and job seekers alike are being urged to verify recruiters, use secure communication platforms, and exercise caution when downloading software from unknown sources.