Fireblocks Exposes North Korean Hackers Running Fake Crypto Job Scam
Darius Baruo Jan 22, 2026 15:31
Fireblocks security team disrupts Lazarus Group-linked recruitment scam targeting crypto developers with malware disguised as coding assignments.
North Korean hackers have been impersonating Fireblocks recruiters on LinkedIn to infect crypto developers with malware, according to a detailed investigation published by the digital asset infrastructure firm on January 22, 2026.
The campaign, dubbed "Operation Contagious Interview," used fake job postings, polished PDF documents, and even live video interviews to build trust before delivering malware through what appeared to be routine coding assignments.
How the Attack Worked
Attackers created convincing LinkedIn profiles posing as Fireblocks executives, recruiters, and hiring managers. The profiles featured realistic work histories, professional photos, and networks aligned with blockchain and technical roles.
Once contact was established, targets received clean, professionally formatted PDFs describing a fictitious project called "Fireblocks Poker Platform." The scammers even built detailed Figma boards to reinforce legitimacy—and notably avoided the typos and grammatical errors that typically flag phishing attempts.
The operation showed how closely attackers were tracking their targets. Fake project materials referenced Fireblocks' acquisition of Dynamic and used the company's latest branding, both announced just weeks before the campaign surfaced.
Video interviews conducted via Google Meet followed standard hiring protocols. Interviewers asked about professional experience and compensation expectations before assigning a "code review task." Then they abruptly ended calls, citing other meetings.
The trap sprung when candidates cloned a GitHub repository and ran npm install—standard developer workflow steps that triggered malicious code execution. The campaign also used "EtherHiding," a technique that leverages blockchain smart contracts to host command-and-control infrastructure, making the malware harder to take down.
Lazarus Group Fingerprints
Fireblocks' security research team linked the tradecraft to APT 38, the North Korean threat actor commonly known as the Lazarus Group. The investigation also connected the campaign to a previous scam impersonating Multibank Group that used a similar fake poker platform lure.
The objective? Financial theft through stolen credentials, private keys, seed phrases, and access to development environments. When victims run malicious code on company devices, attackers gain footholds into organizational systems—making developers particularly valuable targets.
Fireblocks identified 12 fake personas used across the campaign, including "Agnes Gonzales," "Neira Cenuvieth," and "Roman Creed." Red flags included personal email addresses for corporate recruitment, Calendly links on personal domains, AI-generated profile content, and LinkedIn accounts with minimal historical activity that suddenly became active.
What Got Them Caught
The campaign unraveled when multiple job seekers contacted Fireblocks employees directly, asking about the "Fireblocks Poker Platform" project. Those inquiries were escalated to the security team, which validated the impersonation and reported profiles to LinkedIn for takedown. Malicious repositories were also removed.
Fireblocks, which has secured over $10 trillion in digital asset transfers across 550 million wallets according to company data, coordinated with intelligence partners and law enforcement to limit follow-on attempts.
For anyone job hunting in crypto: verify all recruiter outreach against official company careers pages. Legitimate Fireblocks recruiters use verified LinkedIn profiles authenticated with company email addresses. If someone asks you to clone a repo and run install commands during an interview process, that's worth a second look—even when everything else seems professional.
Image source: Shutterstock.jpg)
