A new cyber threat has emerged, targeting American artificial intelligence developers, software engineers, and cryptocurrency professionals through an elaborate fake job platform. Security researchers at Validin have uncovered a variant of the “Contagious Interview” operation, a scheme designed to compromise job seekers during what appears to be a legitimate hiring process.
How the Scam Works
The campaign uses a fully functional React and Next.js-based job platform hosted at lenvny[.]com. This fake site mimics leading tech companies and recruitment software with surprising authenticity. Marketed as an “Integrated AI-Powered Interview Tool,” the platform features a sleek design, synthetic branding, and dynamic job listings—all crafted to resemble modern hiring systems.
Unlike previous DPRK-linked phishing attempts, which relied on basic login forms, this attack introduces a complete application workflow, including video interviews and technical assessments. The goal? To lure high-value targets in AI and cryptocurrency sectors.
Infection Mechanism: The ClickFix Technique
Researchers identified the malware delivery method after analyzing the interview process. Here’s the infection pattern:
- LinkedIn outreach invites candidates to apply.
- Candidates complete video interviews and coding tasks.
- The platform prompts users to “fix their webcam” using a helper tool.
- This tool installs malware on the candidate’s system.
This ClickFix technique exploits trust during troubleshooting, making the attack highly effective.
Why AI and Crypto Professionals Are Targeted
North Korea focuses on these roles because:
- AI developers have access to proprietary research, model weights, and inference infrastructure.
- Crypto professionals often manage high-value digital assets.
- Both groups typically use systems with elevated privileges and custom tooling, increasing malware success rates.
How to Stay Safe
- Verify official domains before applying for jobs.
- Avoid uploading personal documents to unverified platforms.
- When asked to run code during interviews, use virtual machines or sandbox environments instead of your primary workstation.
Key Takeaways
This campaign represents a major escalation in state-sponsored cybercrime, blending social engineering with advanced web development. Job seekers in tech should remain vigilant and adopt strict security practices during remote hiring processes.
