North Korean Hackers Target Crypto Job Seekers in India
Cisco Talos recently uncovered a North Korean hacking group—dubbed “Famous Chollima”—that’s been going after job applicants in India’s crypto space. Oddly enough, they don’t seem to be directly tied to Lazarus, the country’s more infamous cybercrime unit.
What’s unclear is whether these attacks are just small-time thefts or the early stages of something bigger. Either way, if you’re job hunting in crypto right now, it might be worth double-checking who’s reaching out to you.
Not Just Lazarus
Lazarus gets most of the attention when it comes to North Korea’s crypto hacks—and for good reason. They pulled off some of the biggest heists in the industry. But they’re not the only ones playing this game. North Korea’s cybercriminal networks run deep, and Famous Chollima is proof of that.
This group isn’t exactly new. Reports suggest they’ve been active since at least mid-2024, maybe earlier. Their approach is different, though. While Lazarus has been known to pose as job seekers to infiltrate crypto firms, Famous Chollima flips the script. They set up fake job postings to lure applicants instead.
According to Cisco Talos, the group creates phony job ads and skill-testing pages. At some point, applicants are told to run a command-line instruction—supposedly to install drivers for a final test. In reality, it’s malware. Most of the targets? People in India.
A Clumsier Approach
Compared to Lazarus, Famous Chollima’s methods seem a bit sloppy. Their fake job postings mimic real crypto companies, but they don’t bother with accurate branding or even relevant job questions. It’s almost like they’re not trying very hard.
But here’s the scary part: it still works. Victims apply through what looks like a legit recruitment site, get invited to a video interview, and then are tricked into running malicious commands. The malware—called PylangGhost—gives hackers full access to the victim’s system. From there, they can steal login details, browser data, and crypto wallet info from extensions like MetaMask and Phantom.
Why This Matters
BitMEX recently pointed out that Lazarus often uses two teams: one to break in and another to carry out the actual theft. Maybe Famous Chollima operates the same way. Or maybe they’re just testing the waters before a bigger attack. It’s hard to say for sure.
Either way, the takeaway is simple: be careful. If a job offer seems too good to be true, it probably is. Don’t run random commands from a recruiter, and keep your security tight—endpoint protection, multi-factor authentication, and monitoring browser extensions can help.
And before you hand over any personal info, make sure the job portal is real. A quick search or a call to the company could save you a lot of trouble.
