A new online scam is targeting people who work in the cryptocurrency industry, using fake job offers and interviews to trick them into installing harmful software on their devices.
According to a report by cybersecurity researchers at Cisco Talos, the attack involves a new type of malware called PylangGhost. It is a remote access tool also known as a trojan, built using the Python programming language. Once installed, it allows attackers to secretly control the victim’s computer and steal private data like passwords and session cookies.
The people behind the scam are believed to be tied to North Korean hacking groups, who have been linked to several past cryptocurrency-related cybercrimes. This time, they are pretending to be recruiters from well-known companies like Coinbase, Uniswap, and Robinhood to appear trustworthy.
How the Scam Works
The attackers set up fake job websites that look like they belong to real crypto companies. They then contact professionals in the industry, especially those with experience in blockchain development and invite them to apply for jobs.
Victims are asked to complete technical assessments and share personal details, believing it's part of the interview process. Later, they’re told to prepare for a video interview and are asked to install what is described as a “video driver” to improve camera quality. However, this download is actually the PylangGhost malware.
Once installed, the software can:
1. Steal login credentials from over 80 browser extensions (such as MetaMask, Phantom, and 1Password).
2. Allow attackers to access and control the computer remotely.
3. Stay hidden and continue running even after a system reboot.
Real-World Examples
Researchers say this method has already been used in India and other countries. Similar scams in the past included fake companies like “BlockNovas LLC” and “SoftGlide LLC,” which were created to look legitimate. In one case, the FBI had to shut down one of these websites.
In another incident, engineers at the crypto exchange Kraken discovered that one job applicant was a North Korean hacker. The person was caught when they failed basic identity checks during an interview.
The malware also has a history. PylangGhost is the Python version of an earlier program called GolangGhost, which was used to target macOS systems. The newer version is now aimed specifically at Windows users, while Linux systems appear unaffected for now.
Security Experts Call for Action
Cybersecurity experts in India say this growing threat should be taken seriously. Dileep Kumar H V, director at Digital South Trust, has recommended:
• Regular cybersecurity audits for blockchain firms.
• Stronger legal protections under India’s IT Act.
• National awareness campaigns and better monitoring of fake job portals.
He also stressed the need for international coordination, urging agencies like CERT-In, MEITY, and NCIIPC to work together with global partners to counter these attacks.
Why It Matters
These scams reflect a shift in tactics and deployment of new technologies, from hacking exchanges to targeting individuals. By stealing credentials or gaining insider access, attackers may be trying to infiltrate companies from within. As the crypto industry continues to expand and transcend boundaries, so do the risks, thus making awareness and vigilance more critical than ever.
