A North Korean hacker attempted to infiltrate the development ranks of cryptocurrency exchange Kraken under the guise of a candidate for an engineering position.
According to the team's report, the applicant immediately seemed suspicious. He joined the first online interview under a name different from the one on his resume, but quickly changed it. During the conversation, the candidate "periodically changed intonation" as if someone was giving him instructions in real time.
Industry partners warned the company about the likelihood of encountering a spy among potential employees and provided a list of email addresses linked to a group of North Korean hackers. A Kraken candidate used one of the listed addresses when applying.
Exchange specialists initiated an investigation that revealed a network of fake identities and aliases under which the hacker tried to get a job in companies in the crypto industry and other sectors. In some cases, the attacker managed to get the desired position.
Upon closer examination, experts discovered the hacker's attempts to hide his location and forged documents with other people's data.
The team put the spy candidate through several rounds of interviews and background checks to gain insight into his identity and tactics. In the final online meeting, the hacker was asked to show his ID and recommend establishments in the city where he supposedly resides. These routine checks took the applicant by surprise, and he was unable to provide convincing answers.
"Don’t trust, verify. This core crypto principle is more relevant than ever in the digital age. State-sponsored attacks aren’t just a crypto, or U.S. corporate, issue – they’re a global threat. Any individual or business handling value is a target, and resilience starts with operationally preparing to withstand these types of attacks," Nick Percoco, the firm's head of security, commented on the incident.
Kraken specialists noted that as cyber threats evolve, maintaining security relies more and more heavily on a holistic proactive approach:
"A culture of productive paranoia is key."
North Korean Hackers Created Fake Companies to Scam Users
Contagious Interview, a group linked to the North Korean hacking organization Lazarus, has registered three shell companies to distribute malware. This is according to the Silent Push report.
The firms BlockNovas, Angeloper Agency and SoftGlide are being used to deceive users through fake interviews.
Silent Push senior analyst Zach Edwards said the two fictitious companies are registered in the United States.
According to Silent Push, hackers create fake employee profiles using images generated by artificial intelligence. They also steal photos of real people to boost the credibility of their firms.
Analysts reported that attackers find victims through fake job ads on GitHub and freelancing platforms.
During the "interview", the potential victim encounters a video recording error. The solution is a "simple copy-and-paste trick" that leads to a malware download.
Silent Push has identified three types of "infectious" software: BeaverTail, InvisibleFerret, and Otter Cookie. These programs aim to steal information, including cryptocurrency wallet keys.
According to Edwards, the hacking campaign has been going on since 2024, since then FBI liquidated the firm Blocknovas. Among the victims there are well-known public users, the expert noted.
Hackers stole $100,000 from CEO Emblem Vault via Zoom
The head of NFT platform Emblem Vault, Jake Gallen, claimed to have lost more than $100,000 in cryptocurrency due to attackers using Zoom.
According to him, the incident occurred during a video call with a crypto community member who identified himself as the owner of a mining platform.
Gallen reported that scammers installed GOOPDATE malware on his computer. Several cryptocurrency wallets were compromised, resulting in the loss of bitcoins and Ethereum.
Gallen partnered with The Security Alliance (SEAL) to analyze the attack. The company determined that ELUSIVE COMET, a group that uses social engineering to install malware and steal cryptocurrencies, was responsible;
According to Gallen, he got into a Zoom meeting with a crypto-enthusiast with 26,000 subscribers on X. During the video call, the attacker used the remote access feature to install the program.
SEAL experts tested Zoom and confirmed that by default, the platform allows guests to request remote access to the computer.
A researcher under the nickname samczsun told Cointelegraph that for a successful attack, an attacker would need to convince the victim to manually grant such access.
The hackers later hacked into Gallen's X account and tried to use it to lure new victims in private messages. They also gained access to Ledger's hardware wallet, even though Gallen had used it several times over three years.
SEAL experts link the ELUSIVE COMET group to Aureon Capital, which is responsible for "millions of dollars in stolen funds" and poses a significant risk to users because of its "elaborate backstory."