North Korean Hackers Imitate Coinbase, Robinhood To Spread Spyware via Fake Job Interviews

• Posing as recruiters from major crypto firms like Coinbase and Robinhood, North Korean hackers are tricking job seekers into installing spyware during fraudulent video interviews.
• Spyware like GolangGhost and FROSTYFERRET enables hackers from North Korea to steal passwords and take remote control of compromised devices.
• The campaign is linked to North Korea’s Lazarus Group, which has reportedly laundered $5–10 billion in stolen crypto over the past year.

A group of hackers from North Korea, known as Famous Chollima, has been found impersonating recruiters from major crypto companies like Coinbase and Robinhood to distribute spyware through fraudulent job interviews.

The campaign is part of a broader cyber offensive linked to the Lazarus Group, which has reportedly laundered billions of dollars in stolen cryptocurrency over the past year.

Deceptive Interviews

According to security firm Rhyno, the attackers initiate contact by posing as recruiters on social media, targeting job seekers in the cryptocurrency and tech sectors.

Victims are invited to participate in video interviews conducted on a fake video platform.

As part of the process, they are asked to record a self-introduction.

When victims attempt to activate their webcam, an error message appears. At this point, the attackers instruct them to run a terminal command to “fix” the issue.

In reality, the command installs a spyware tool known as GolangGhost, along with a secondary module called FROSTYFERRET, which captures the victim’s entered password and uploads it to a Dropbox folder controlled by the attackers.

GolangGhost: Stealthy Remote Access Tool

Once installed, GolangGhost enables attackers to silently gain remote access to the victim’s system.

Its capabilities include:

• File Transfer: Uploading and downloading files to and from the compromised machine.
• Data Harvesting: Extracting browser data such as saved passwords, session cookies, and browsing history.
• System Profiling: Collecting detailed system information including OS version, hardware specifications, installed applications, and network settings.

In May 2025, Cisco Talos Intelligence Group reported that the attackers began deploying a Python-based variant of GolangGhost to target Windows systems more effectively.

This version offers the same range of capabilities, giving hackers full control of infected devices, allowing them to steal crypto wallets, exfiltrate personal and corporate data, and execute commands in real time.

North Korea’s Hacking Push

This campaign is the latest in a series of increasingly sophisticated hacks by North Korea’s alleged state-sponsored hacking units.

Over the past year, the Lazarus Group has been linked to several major cryptocurrency heists, including a $1.5 billion exploit of Bybit and a $236 million breach of WazirX, according to blockchain investigator ZachXBT.

ZachXBT also reports that the group uses Tron’s low-fee blockchain network to move stablecoins like USDT, making it difficult to trace and freeze stolen funds.

These channels have reportedly become a “safe haven” for laundering, with estimates suggesting that between $5 billion and $10 billion in illicit funds have flowed through them.