Fireblocks just exposed a sophisticated North Korea-linked operation that's turning LinkedIn job interviews into cyber weapons. The digital asset infrastructure company disrupted a recruitment scam that weaponized fake hiring processes to plant malware on crypto developers' machines, potentially exposing wallets, private keys, and production systems. CEO Michael Shaulov says hackers tied to North Korea are evolving at "lightspeed" thanks to AI, making social engineering attacks nearly impossible to detect.
Fireblocks just pulled back the curtain on one of the most sophisticated social engineering operations targeting the crypto industry - and it's hiding in plain sight on LinkedIn. The digital asset infrastructure company disrupted a North Korea-linked recruitment scam that weaponized the entire hiring process to compromise developers and gain access to crypto infrastructure.
Here's how it worked: hackers created fake recruiter profiles that closely resembled legitimate Fireblocks hiring processes. They conducted video interviews via Google Meet, shared take-home coding assignments through GitHub, and maintained authentic conversations throughout. When candidates ran what appeared to be routine installation commands for the coding test, they were actually installing malware that could expose wallets, private keys, and production systems.
"What they're basically doing is that they are weaponizing a legit interview to create a very legit and authentic interaction with candidates," Fireblocks CEO Michael Shaulov told CNBC. The attackers weren't casting a wide net - they were hunting specific targets based on LinkedIn profiles, looking for engineers with "privileged access" to critical crypto infrastructure.
Fireblocks identified almost a dozen fake profiles that continuously changed their company brands, suggesting the operation has been running for years. The company managed to interact directly with the hackers and collect what Shaulov calls "indication of compromise" - essentially the digital fingerprints of the tools, weaponry, and malware used in the campaign. Working with LinkedIn and law enforcement, Fireblocks got the profiles taken down, but the cat-and-mouse game continues.
A LinkedIn spokesperson said in a statement that "over 99% of the fake accounts we remove are detected proactively before anyone reports them." The professional networking platform says it's constantly investing in detection technology and has implemented guardrails like in-message warnings when conversations move off LinkedIn and verification badges for legitimate recruiters.
But the threat is evolving faster than defenses can adapt. The tactics mirror those used by North Korea's notorious Lazarus Group, a state-sponsored hacking collective that's been siphoning billions from the crypto industry. Last year, cryptocurrency exchange Bybit experienced the largest crypto heist in history when hackers stole $1.5 billion in digital assets. Blockchain analysis firm Elliptic linked that attack directly to Lazarus Group.
The group's history of targeting crypto platforms stretches back to 2017, when they infiltrated four South Korean exchanges and stole $200 million worth of bitcoin. Shaulov, who helped investigate those 2017 Lazarus Group attacks, has watched the threat actors evolve in real-time. Back in 2017 and 2018, "it was actually quite easy" to identify them because of grammar mistakes and typos, he explained. Now? "It looks like they graduated from Oxford."
That's where AI comes in. "It's clear that the attackers have become way more sophisticated and way harder to detect because of AI," Shaulov said. The technology is allowing nation-state actors to perfect their English, maintain consistent personas across months-long recruitment processes, and create increasingly convincing social engineering attacks. What used to take teams of human analysts to craft now happens at machine speed.
The implications extend far beyond crypto. If North Korean hackers can convincingly impersonate recruiters from major companies, conduct video interviews, and fool experienced developers, the entire hiring process has become a potential attack vector. Every GitHub repository shared in an interview, every npm package installed for a coding test, every video call with a potential employer could be a sophisticated operation designed to compromise enterprise systems.
For crypto companies specifically, the stakes couldn't be higher. The industry holds billions in digital assets that can be transferred instantly and irreversibly. A single compromised developer with access to production wallets or private keys could facilitate heists that dwarf traditional bank robberies. And unlike traditional financial systems with chargebacks and insurance, crypto transactions are final.
The Fireblocks disclosure comes as the crypto industry grapples with an unprecedented wave of sophisticated attacks. Nation-state actors have realized that targeting individual developers through social engineering is often easier than breaking cryptographic protocols or exploiting smart contract vulnerabilities. The human element remains the weakest link, and AI is making it easier than ever to exploit.
Companies are now scrambling to update their security protocols. Some are implementing additional verification steps for new hires, requiring candidates to prove their identity through multiple channels before getting access to sensitive systems. Others are sandboxing all code provided during interviews, running it in isolated environments that can't touch production infrastructure.
But as Shaulov's comments make clear, the attackers are moving at "lightspeed." For every new defense the industry implements, nation-state actors backed by AI capabilities are finding new ways around them. The job scam Fireblocks disrupted was active for years before detection - raising uncomfortable questions about how many similar operations are still running undetected across the industry.
The Fireblocks disclosure marks a turning point in how the crypto industry thinks about security. It's no longer enough to secure code and infrastructure - companies now need to treat the entire hiring process as a potential attack surface. With AI giving nation-state actors like North Korea's Lazarus Group the ability to impersonate legitimate recruiters at scale, the line between authentic business interactions and sophisticated cyberattacks has effectively disappeared. Every company in crypto - and increasingly in traditional tech - needs to assume that some percentage of their job applicants are actually state-sponsored hackers running reconnaissance. The question isn't whether you'll be targeted, but whether you'll catch it before malware gets deployed.
