North Korean Hackers Target Crypto Job Seekers in India
Cisco Talos recently uncovered a North Korean hacking group—dubbed “Famous Chollima”—that’s been going after crypto job applicants in India. Unlike the infamous Lazarus Group, this one seems to operate independently, though their exact motives aren’t entirely clear yet. Were these small-time thefts, or just the first steps toward something bigger? Hard to say. But for now, anyone job hunting in crypto should probably keep their guard up.
A Different Kind of Crypto Threat
North Korea’s no stranger to crypto crime. Lazarus, for instance, pulled off some of the biggest heists in the industry. But they’re not the only ones playing dirty. Over the past year or so, Famous Chollima’s been trying a different angle—instead of hacking companies directly, they’re targeting the people trying to work for them.
According to Cisco Talos, the group’s been active since at least mid-2024. They’ve set up fake job listings, mimicking real crypto firms, and even built phony skill-testing pages. The catch? Applicants are told to run a command line to “install drivers” for the final stage. Of course, that command actually drops malware. Most of the targets so far have been in India.
Clumsy but Effective
Compared to Lazarus, Famous Chollima’s methods seem a bit sloppy. Their fake job ads don’t even bother copying real company branding, and the interview questions often have nothing to do with the supposed role. Still, it’s working.
Here’s how the scam plays out: Victims land on what looks like a legit recruitment site—maybe posing as Robinhood or another big name. They fill out an application, get invited to a “video interview,” and then are instructed to run those malicious commands. Once executed, the malware (called PylangGhost) gives hackers full access to the victim’s system. From there, it scrapes login details, browser data, and—most critically—crypto wallet info from extensions like MetaMask and Phantom.
Why This Matters
BitMEX recently suggested that North Korean hackers often work in tiers—lower-skilled teams breach initial defenses, while more advanced groups handle the actual theft. Maybe Famous Chollima fits into that first category. Or maybe they’re just testing new tactics. Either way, the takeaway’s the same: be skeptical.
If you’re job hunting in crypto, double-check those “opportunities.” Don’t run random commands, even if they seem harmless. And maybe keep an eye on your browser extensions—some extra security never hurts.
For now, though, all we know is that North Korea’s cybercriminals are getting creative. And that’s never good news.
