Digital asset infrastructure company Fireblocks said it has disrupted a North Korea-linked job recruitment impersonation scam that was targeting digital assets.
Fireblocks said hackers used fake job interviews to compromise developers and gain access to crypto infrastructure.
According to the firm, the hackers were able to closely resemble a legitimate Fireblocks hiring process and impersonate recruiters, conduct Google Meet interviews and share take-home assignments via GitHub.
“What they’re basically doing is that they are weaponizing a legit interview … to create a very legit and authentic interaction with candidates,” Michael Shaulov, the CEO of Fireblocks, told CNBC.
When candidates ran a routine installation, malware was actually installed, which could expose wallets, keys, and production systems.
Shaulov said the group was targeting engineers based on their LinkedIn profiles, looking for people with “privileged access.”
He said that the firm identified almost a dozen fake profiles that were continuously changing their company brands, and that they believe this scam has been active for the past few years.
“We were able to basically interact with the hackers and basically collect what we call ‘indication of compromise,’ but essentially kind of like the fingerprints of the tools and the weaponry and the malware that they were using in that campaign,” Shaulov said.
Fireblocks worked with LinkedIn and law enforcement to get the profiles taken down, he added.
“Over 99% of the fake accounts we remove are detected proactively before anyone reports them,” a LinkedIn spokesperson said in a statement.
The social media platform targeted to professionals said it is constantly investing in technology to detect “harmful behavior” and has guardrail procedures in place, like in-message warnings when chats move off of LinkedIn and verification badges for recruiters.
Last year, Bybit experienced the largest crypto heist in history when hackers stole $1.5 billion in digital assets from the cryptocurrency exchange.
Analysts at blockchain analysis firm Elliptic linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective notorious for siphoning billions of dollars from the crypto industry.
The Lazarus Group’s history of targeting crypto platforms dates back to 2017, when the group infiltrated four South Korean exchanges and stole $200 million worth of bitcoin.
Shaulov, who helped investigate Lazarus Group’s 2017 attacks on crypto platforms, said hackers, especially those tied to North Korea, have been evolving at “lightspeed.”
He said in 2017 and 2018, “It was actually quite easy” to identify them because of grammar mistakes and typos. But now, “it looks like they graduated from [The University of] Oxford.”
“It’s clear that the attackers have become way more sophisticated and way harder to detect because of AI,” Shaulov said.
