North Korean Crypto Hackers Refine Sophisticated Job and Investment Scams

North Korean crypto hackers are evolving their tactics, using increasingly deceptive social engineering techniques to target the Web3 community. Once notorious for fake job offers and malware-laced investment pitches, these cybercriminals are now perfecting their schemes through coordinated, AI-driven operations.

According to cybersecurity firm Kaspersky, the BlueNoroff Advanced Persistent Threat (APT) group—a sub-branch of the infamous Lazarus Group—has launched two ongoing campaigns known as GhostCall and GhostHire. Both share the same infrastructure and exploit different angles to breach crypto firms. GhostCall targets Web3 executives by posing as investors, while GhostHire lures blockchain developers with lucrative fake job opportunities. The ultimate goal remains the same: tricking victims into downloading malicious software disguised as legitimate applications like Zoom or Microsoft Teams.

What sets these new campaigns apart is their sophistication. In addition to targeting operating systems commonly used by crypto professionals, hackers now leverage AI-generated content and stolen digital assets from previous failed attacks. These include hijacked social media accounts, recycled video calls, and even deepfaked visuals of real industry executives—making the scams appear far more authentic.

This improved coordination allows North Korean hackers to weaponize their past failures, using fragments of real interactions to manipulate new victims. Experts warn that even those who avoid direct infection could have their likeness or credentials exploited in future attacks.

The rise of GhostCall and GhostHire underscores a growing cyber threat to the global crypto ecosystem. As hackers continue to blend AI tools with social engineering, vigilance is crucial. Crypto professionals are urged to verify every contact, avoid downloading unverified files, and remain skeptical of unsolicited investment or recruitment offers.