North Korean Hackers Weaponize Job Interviews in a Global Cyber Campaign

A new investigation has revealed how North Korean cyber operatives are transforming one of the most routine processes in modern business into a highly effective attack surface. According to researchers at Recorded Future’s Insikt Group, a coordinated campaign built around fake job interviews successfully reached more than 3,100 IP addresses and at least 20 organizations across multiple continents, with a particular focus on companies operating in cryptocurrency, artificial intelligence, and advanced technology.

The operation, tracked as PurpleBravo and also referred to as Contagious Interview, relied on deception rather than technical exploits alone. Threat actors posed as recruiters on professional networking platforms, primarily LinkedIn, using polished personas, AI-generated profile images, and fabricated corporate websites. Victims were drawn into what appeared to be legitimate hiring processes, complete with interviews and technical assessments, before being instructed to download coding projects hosted on GitHub.

Those files were anything but benign. Security analysts identified malicious Microsoft Visual Studio Code projects that delivered backdoors such as BeaverTail, a JavaScript-based information stealer, and GolangGhost, a Go-powered remote access tool. The danger escalated when candidates completed these tasks on company-issued devices, a scenario that effectively bypassed perimeter defenses and introduced malware directly into corporate environments. As Recorded Future noted, this approach shifted risk from the individual job seeker to entire organizations.

Kenneth Kinion, chief executive of Validin, explained why the tactic has proven so effective. By targeting people actively seeking employment, attackers eliminate many of the usual warning signs. The process feels legitimate, personal, and time-sensitive, creating conditions where victims are less likely to question instructions that would otherwise raise red flags.

The campaign’s reach was global. Victims were identified in Belgium, Italy, the Netherlands, the United Arab Emirates, Vietnam, and several other countries, with the highest concentration of targeted IP addresses in South Asia and North America between August 2024 and September 2025. Researchers believe the confirmed cases represent only a fraction of the total impact, particularly given the supply chain risks posed by compromised technology firms with large client bases.

Behind the scenes, the technical infrastructure reflected a high level of operational maturity. The attackers managed multiple command-and-control networks spread across 17 hosting providers, administering them through Astrill VPN connections associated with Chinese IP ranges. Investigators observed operators working from China, Russia, and Pakistan, while using Russian IP addresses to access virtual private servers. The campaign also showed overlaps with another North Korean effort known as Wagemole, in which operatives seek unauthorized employment under stolen identities.

The financial stakes are significant. Blockchain analytics firm Chainalysis estimates that North Korean hacking groups stole $2.02 billion in cryptocurrency during 2025 alone, bringing their cumulative total to $6.75 billion. Those funds are widely believed to support Pyongyang’s weapons programs, underscoring how cybercrime has become a strategic revenue stream for the regime.

Security experts warn that this campaign illustrates a broader evolution in state-backed cyber operations. By blurring the line between ordinary business interactions and espionage, North Korean actors are exploiting trust, labor markets, and the global demand for technical talent. Organizations are now being urged to strengthen applicant verification, require live video interviews with identity checks, monitor development environments for anomalous behavior, and train staff to recognize that even a job offer can be a threat vector.