How North Korean Hackers Used Fake Job Interviews to Infiltrate AI, Crypto & Finance Firms

North Korean linked hackers are increasingly turning to fake job interviews as a way to infiltrate companies operating in artificial intelligence, cryptocurrency and financial services. 

Rather than attacking systems directly, these groups exploit recruitment processes and human trust. This shift shows how cyber threats in the crypto sector are becoming more subtle and personal. 

Key Takeaways

• More than 3,100 IP addresses linked to AI, crypto and finance firms were targeted
• Fake recruiters used interview tasks to deliver malicious code
• Job seekers unknowingly exposed corporate systems during hiring processes

Explore the crypto ecosystem responsibly by registering at Bitrue.com.

A New Cyber Threat Hidden Inside Job Interviews

Security researchers from Recorded Future’s Insikt Group identified a large-scale operation known as PurpleBravo, which focused on recruitment rather than traditional cyber attacks. The campaign targeted job seekers applying for roles in technology, crypto and finance related companies across multiple regions.

Hackers posed as legitimate recruiters or developers and contacted candidates with realistic job offers. The conversations appeared professional and credible, often involving technical discussions that matched the candidate’s background and experience.

As part of the interview process, candidates were asked to complete coding assessments, review source code or clone GitHub repositories. These tasks are common in technical hiring, which made the requests seem routine and harmless.

In several cases, candidates completed the assessments on company issued devices. When malicious code was executed, it created access points into corporate systems, exposing far more than just the individual user.

Read Also: North Korean Hackers Steal $2B in Digital Assets

How Malicious Developer Tools Were Used

PurpleBravo relied heavily on malicious developer tools disguised as legitimate projects. Fraudulent GitHub repositories were designed to look authentic, complete with documentation and structured code.

Once opened, these repositories deployed malware such as BeaverTail, GolangGhost and PylangGhost. These tools were capable of stealing browser credentials, cookies and sensitive session data across multiple platforms.

One of the more advanced techniques involved Microsoft Visual Studio Code. Attackers embedded malicious commands into configuration files that executed automatically once the user trusted the repository.

This method allowed attackers to gain remote access without triggering immediate suspicion. GolangGhost supported multiple operating systems, while PylangGhost focused on Windows devices, increasing the campaign’s reach.

Read Also: Hacker Tied to Manipulate BROCCOLI's Low-Liquidity Price

Fake Personas and Global Supply Chain Risks

To support the campaign, attackers created fake online personas across platforms such as LinkedIn, GitHub and freelance marketplaces. These profiles were carefully maintained to appear credible and active.

Many personas claimed to be based in Odessa, Ukraine, although researchers could not determine why this location was chosen. Despite this, the identities were used consistently across different platforms.

Job seekers from South Asia were frequently targeted, while the attackers presented themselves as representatives of crypto or technology firms. Some fake projects even promoted token based initiatives supported by Telegram channels filled with bots and malicious links.

The wider concern lies in supply chain exposure. A single compromised developer can unintentionally provide attackers access to customer data, internal systems or partner networks.

Read Also: $128M Stolen from Balancer Protocol Due to Hacker Attack

Conclusion

The PurpleBravo campaign highlights how cyber threats have evolved beyond technical exploits and now focus heavily on human behaviour. By abusing recruitment processes and trusted developer tools, North Korean hackers gained access to companies in crypto, AI and finance sectors. 

The scale and reach of this operation underline the importance of caution during hiring and remote work. Stronger verification, limited trust and increased awareness are now essential to protecting sensitive systems in the digital economy.

FAQ

What is the PurpleBravo campaign

It is a North Korean linked cyber operation that uses fake job interviews to distribute malware.

Which industries were targeted

Cryptocurrency, artificial intelligence, financial services and technology sectors.

How did victims become infected

Victims ran malicious code during interview related coding tasks.

Why is this attack difficult to detect

It uses trusted tools and normal hiring workflows instead of obvious exploits.

What is the biggest risk for companies

Disclaimer: This article is for informational purposes only and does not constitute financial, investment or cybersecurity advice. Readers should conduct independent research and consult professionals before making decisions related to digital assets or security practices.