Hackers Target Crypto Job Applicants Through GitHub And Freelancer Websites

In a fresh twist on a familiar scam, the Lazarus Group, a North Korea–linked hacking collective, has been preying on would-be crypto developers via freelancer platforms and GitHub job listings. The activity can be traced back to at least November 2023, when Palo Alto Networks Unit 42, a cybersecurity research company, first wrote about it, dubbing the activity CL-STA-240 Contagious Interview campaign. The latest report on the matter comes from Silent Push . According to the Virginia-based cyber-intelligence firm, Lazarus has set up three shell consulting companies – BlockNovas, Angeloper Agency, and SoftGlide – to lure candidates into downloading malware. Attackers pose as legitimate crypto consultancies, publishing job ads that promise high pay and remote flexibility. Applicants are invited to record a short introduction video. When candidates hit “record,” an innocuous “error” message pops up with a simple copy-and-paste fix, which quietly installs one of three malicious strains – BeaverTail, InvisibleFerret, or OtterCookie – on the victim’s device. Malpedia describes the first of the three as “a JavaScript malware primarily distributed through NPM packages (…) designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret.” The database doesn’t provide further clarification on the two other strains. The fake companies aim to boost their credibility by showcasing dozens of AI-generated “team member” profiles – some slightly tweaked from real photos – to populate fake LinkedIn and freelancer accounts. Two of the shell firms are legally registered in the US, and, as per SilentPush, they have been actively conducting the scam since 2024. The FBI has already seized the BlockNovas domain, although SoftGlide and Angeloper Agency remain live. Silent Push has identified two developers who fell prey to the scam. The first victim, nicknamed “topninja,” detailed in a post on Dev.to how they were led to compromise their MetaMask Wallet after accepting a new project on Freelancer.com. Topninja also shared the malicious code containing a request to lianxinxiao[.].com – a BeaverTail distributing domain. In March, at least three crypto founders foiled fake Zoom calls aimed at stealing private keys. Cybersecurity experts urge job seekers to verify company credentials, double-check URLs, and think twice before hitting “copy-paste” on unexpected prompts.