I got inside a North Korean hiring scam. What I found reveals a troubling shift in tactics

“Tell me about yourself, about your background?”

That’s how my technical job interview started with a company whose website said it was “Building the future of decentralized finance and blockchain infrastructure.” 

They were looking to hire a full stack software engineer, but didn’t seem to care that my LinkedIn profile described me as a journalist who investigates digital deception. And that I have zero engineering experience.

I joined a Zoom call with two men. One, Anthony Lander, said he was based in Miami and spoke Spanish and English. He explained that I’d be asked to do a live coding exercise “to see how you work, how you think, how you approach the real problems.”

The exercise served as the culmination of a sophisticated global hiring scam. As soon as a candidate began working with code, a hidden back door quietly exfiltrated their passwords and crypto wallets. A victim who captured and evaluated the malware described its design to me as “beautiful, simple and clean.”

It was also North Korean, according to an Indicator investigation corroborated by two security experts, the Google Threat Intelligence Group, and analysis of two cryptocurrency wallets by TRM Labs. 

The operation provides a rare window into how some North Korean hacking teams behind what the security industry calls Contagious Interview — a years-long campaign that uses fake job offers to deliver malware to tech workers — are moving beyond spray-and-pray link spam into something more elaborate and convincing.

The hackers recruited unwitting freelancers in the Philippines, Nigeria, Colombia, and Bangladesh to put a human face on the scheme. The workers conducted video interviews, managed candidate pipelines, used an internal Slack, and fielded questions from suspicious applicants. One man, who has a day job as a government employee in Bangladesh, was apparently hired to obtain LinkedIn profiles for the operation. The hackers paid them in crypto, provided scripts, and coached them on how to seem more professional. The boss, who used a variety of names and communicated in stilted English, never showed his face or joined a phone conversation.

Nick Carlsen, a senior investigator with TRM Labs and a former FBI intelligence analyst who investigated DPRK hackers, said the operation showcases "the growing sophistication of what North Korea is doing across multiple different groups."

It exemplifies how large-scale digital deception increasingly converges with human exploitation. Investment and romance scams often rely on forced laborers who have been trapped inside compounds in Cambodia and elsewhere. They've been tricked into scamming victims via messaging, social, and dating apps. Russia and Iran use digital platforms to recruit witting and unwitting people in Europe and elsewhere to commit acts of vandalism, sabotage, and, in some cases, espionage. Such incidents sow discord in the West, and provide fodder for online information operations.

North Korea also recruits people to assist with its criminal operations. In the most famous example, DPRK hackers recently stole nearly $300 million via a months-long scheme that included sending real people to a conference and “building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship,” according to a statement from Drift, the crypto company that was targeted.

Recruiting real-world intermediaries is less common in Contagious Interview operations. This hiring scam signals a new, more effective approach that, as Carlsen put it, uses “unwitting or witting foreign facilitators to convince targets of the legitimacy of what they're doing.”

Prior to my job interview, I'd tracked the hiring scam as it transitioned from one fake company to another, using names like Genusix Labs and Keras Labs and impersonating Kuru Labs, a real crypto company. I spoke to six workers and obtained screenshots, documents, code, crypto payment addresses, and internal communications.

I shared materials and code with Marcus Hutchins, the principal threat researcher for Expel who recently published research about a Contagious Interview group.

“I would say it is almost certainly North Korean, as likely as it can be while still leaving a margin of error,” he told me.

The Google Threat Intelligence Group reviewed some of Indicator's findings and also assessed that they were consistent with “a North Korean threat cluster.”

“GTIG identified overlaps with a group we track as UNC5975, which is a financially-motivated North Korean threat cluster that primarily targets blockchain and cryptocurrency-related entities,” said a statement from GTIG spokesperson Mark Karayan. 

The hackers used at least one Google account to create documents, including a spreadsheet that tracked which candidates had been interviewed. Other companies whose products were abused by the hackers declined to say whether they saw evidence of DPRK activity, including LinkedIn, Hostinger, and Telegram.

“It's fascinating how elaborate they’re getting with these schemes,” Hutchins said. “I wouldn't have thought hosting a whole interview framework would have boosted infection rate. But they’re hiring a lot of people and investing in a lot of infrastructure.”

In the interest of sharing information with the security community, I created a disclosure package that summarizes the IOCs and other elements of the operation. It’s free to access.

You can upgrade to read the full investigation, which includes a detailed breakdown of the tools and methodologies I used. It’s also the best way to support this work.