North Korean Hackers Are Targeting Top Crypto Firms With Malware Hidden in Job Applications.

June 20, 2025

A sophisticated cyber campaign linked to North Korea’s state-sponsored Lazarus Group is actively targeting major cryptocurrency companies by embedding malware in fake job application documents, according to new findings from multiple cybersecurity firms.

This latest operation, dubbed “Operation Dream Job Redux”, represents a dangerous evolution of tactics used by North Korean hackers to infiltrate high-value targets in the digital asset sector—where billions of dollars in crypto assets remain only a few lines of code away from theft.

Malware Disguised as Resumes

Researchers at Mandiant and Chainalysis have traced a recent wave of attacks to malicious files disguised as resumes for software engineering and blockchain development roles. These files, often appearing as PDFs or Microsoft Word documents, are sent directly to HR departments or hiring managers at top crypto firms—posing as applications from candidates with high-profile credentials, including fake stints at Google, Binance, or Coinbase.

Once opened, the files quietly install remote access trojans (RATs) or other malware that gives attackers access to sensitive internal systems, including wallet infrastructure, code repositories, and employee credentials.

“These are not amateur phishing attempts,” said Lena Ryu, Senior Threat Analyst at Mandiant. “The documents are well-crafted, tailored to the job description, and carry a payload designed to silently exfiltrate sensitive data over days or weeks.”

A National Strategy of Cyber Theft

The campaign is believed to be an extension of North Korea’s broader state-driven strategy to steal crypto assets and fund its weapons programs amid crippling international sanctions. The Lazarus Group, officially sanctioned by the U.S. Treasury, has been implicated in some of the most notorious crypto heists in recent history, including the $625 million Ronin Bridge exploit and the $100 million Harmony hack.

According to Chainalysis, North Korean-linked hackers stole over $1.7 billion in crypto in 2022, and their techniques have only grown more refined since then.

“This is about economic warfare,” said David Carlisle, Director of Policy at Elliptic. “Crypto is a soft target, and these actors are playing the long game with social engineering, malware, and strategic timing.”

Crypto Industry on High Alert

The revelations have triggered fresh warnings across the global blockchain industry. Major exchanges, wallet providers, and DeFi platforms are being advised to:

  • Conduct deep forensics on recent resume and document submissions.

  • Implement sandbox environments for document handling.

  • Increase employee cybersecurity awareness training, especially for HR and recruiting teams.

One executive at a U.S.-based crypto infrastructure firm, speaking anonymously, said they recently detected an attempted breach linked to a fake application from a “senior engineer” claiming to have worked on Ethereum scaling solutions.

“It was incredibly detailed,” the executive said. “The malware only revealed itself through behavioral analysis. Without our internal red team, it could have gone unnoticed for weeks.”

A Broader Pattern of Infiltration

This isn’t the first time North Korea has weaponized fake job postings or recruitment ploys. Previous attacks have involved creating fake LinkedIn profiles, impersonating tech recruiters, or hijacking legitimate hiring platforms to approach targets. But the recent strategy shows a new level of precision and patience.

Cybersecurity firm SentinelOne reports that some of the malicious documents even pass standard antivirus checks and only deploy their payload when the document is actively edited or viewed in full-screen mode.

“This is cyber espionage with surgical precision,” said Dr. Marcy Jung, a cybersecurity researcher at NYU. “They’re not just targeting wallets—they’re targeting trust within organizations.”