North Korean Hackers Are Using Fake Job Offers To Steal Crypto

Next time you’re filling out a job application, you may want to think twice before entering important data.

North Korean hackers have been targeting American and European job applicants in an attempt to steal their cryptocurrency.

Hackers targeted victims by luring them into filling out fake job applications through LinkedIn or Telegram.

After the application was submitted, the attackers would reach out and ask the individual to complete a so-called “test.”

This test required downloading malicious software, which secretly gave the hackers access to the victim’s personal device.

Reuters broke the story and shared more details on how North Korean hackers are infiltrating job hiring sites:

North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data, and interviews.

The problem is becoming so common that job applicants now regularly screen recruiters for signs they might be acting on Pyongyang’s behalf. Twenty-five experts, victims, and corporate representatives that Reuters spoke to agreed that the problem was ubiquitous.

“It happens to me all the time and I’m sure it happens to everybody in this space,” said Carlos Yanez, a business development executive at the Switzerland-based blockchain analytics firm Global Ledger, who was among those recently targeted by the thieves, according to data supplied by cybersecurity companies SentinelOne and Validin, who are publishing a report about the cyber campaign, opens new tab on Thursday.

Yanez said that while he avoided getting hacked, the quality of masquerades carried out by North Koreans had improved significantly in the past year. “It’s scary how far they’ve come,” he said.

Although there’s no publicly available estimate of how much money is taken through this tactic alone, North Korean hackers were believed to have stolen at least $1.34 billion worth of cryptocurrency last year, according to blockchain intelligence firm Chainalysis. The U.S. and United Nations monitors have both alleged that Pyongyang uses the thefts to support its sanctioned weapons program.

Watch Reuters breakout it down further:

North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data, and interviews. Ciara Lee rounds up the big crypto stories of the week pic.twitter.com/amIULXyJMJ

— Reuters (@Reuters) September 4, 2025

Earlier in the year, BBC reported North Korea stole nearly $1.5 billion in a massive crypto heist:

Hackers thought to be working for the North Korean regime have successfully converted at least $300m (£232m) of their record-breaking $1.5bn crypto heist to unrecoverable funds.

The criminals, known as Lazarus Group, swiped the huge haul of digital tokens in a hack on crypto exchange ByBit two weeks ago.
Since then, it’s been a cat-and-mouse game to track and block the hackers from successfully converting the crypto into usable cash.
Experts say the infamous hacking team is working nearly 24 hours a day – potentially funnelling the money into the regime’s military development.

“Every minute matters for the hackers who are trying to confuse the money trail and they are extremely sophisticated in what they’re doing,” says Dr Tom Robinson, co-founder of crypto investigators Elliptic.

Out of all the criminal actors involved in crypto currency, North Korea is the best at laundering crypto, Dr Robinson says.

“I imagine they have an entire room of people doing this using automated tools and years of experience. We can also see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash.”

Elliptic’s analysis tallies with ByBit, which says that 20% of the funds have now “gone dark”, meaning it is unlikely to ever be recovered.
The US and allies accuse the North Koreans of carrying out dozens of hacks in recent years to fund the regime’s military and nuclear development.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.