North Korean state-backed hackers are actively targeting developers, particularly those working in the cryptocurrency and Web3 spaces, through a sophisticated recruitment scam, according to recent cybersecurity research. The hackers pose as recruiters on professional networking sites like LinkedIn and job boards, offering attractive positions that require candidates to complete a coding challenge.
The scheme centers around embedding malicious code within seemingly legitimate programming tasks. Once executed by the candidate on their personal computer, the code silently installs malware, granting the hackers access to the developer’s system. This method bypasses traditional security measures by leveraging the trust inherent in the hiring process, according to a report published by ReversingLabs.
The attacks are not reliant on typical phishing tactics like suspicious links or emails. Instead, they mimic standard recruitment workflows, making it tough for developers to identify the threat. A developer accustomed to technical assessments during recruitment has no obvious reason to be suspicious, researchers say.
The primary targets appear to be those involved in cryptocurrency and blockchain technologies, a logical focus given North Korea’s documented use of cryptocurrency theft and blockchain hacks to fund its economy. The hackers are linked to groups like Lazarus, known for previous cyberattacks and data breaches, and are utilizing JavaScript-based malware in these campaigns, according to GBHackers.
These operations extend beyond simple malware installation. Hackers are also reportedly stealing code and credentials, and covertly generating revenue for the North Korean regime through these compromised systems. The scheme is described as a “Contagious Interview” campaign, abusing the developer hiring workflow to achieve its objectives.
Security experts advise developers to exercise extreme caution and never execute code from unverified sources, even if presented as part of a legitimate job application process. Verifying the recruiter’s identity through official company channels before engaging with any coding challenge is also strongly recommended. The increasing sophistication of these tactics highlights the evolving threat landscape faced by the technology sector.
As of February 27, 2026, no official statement has been released by any government agency regarding specific countermeasures or investigations into these attacks. ReversingLabs has stated they are continuing to monitor the activity of these threat actors and will release further details as they turn into available.
