DeceptiveDevelopment fake-recruiter campaign targeting crypto and DeFi developers
Campaign
Summary
Hide ▲
Show ▼
The DeceptiveDevelopment campaign remains active and is using fake recruiter lures to target developers tied to cryptocurrency and decentralized finance projects, combining identity theft with malware delivery. That matters because the operation can both compromise developer systems and feed stolen identities into a broader North Korean fraud pipeline. The long-running lure set shows a sustained, coordinated targeting effort rather than a one-off phishing wave.
Related Happenings
North Korean remote IT worker scam operation targeting American companies
Campaign
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean fake-persona remote job infiltration campaign against Western tech companies
Campaign
First: 25.03.2026 17:30
Last: 25.03.2026 17:30
Sources 1
About this happening:
A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....
North Korean fake-persona remote job infiltration campaign against Western tech companies
CampaignAbout this happening: A **North Korean** fake-persona campaign is using **remote job applications** to gain **trusted insider access** at **Western tech companies**, creating theft and espionage risk....
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
Campaign
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
The **Contagious Interview** campaign has expanded from **malicious npm packages** into **VS Code**-based lures that trick victims into cloning a booby-trapped repository and open...
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
CampaignAbout this happening: The **Contagious Interview** campaign has expanded from **malicious npm packages** into **VS Code**-based lures that trick victims into cloning a booby-trapped repository and open...
Latest development: 02.03.2026 10:44
North Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.
Timeline
-
26.09.2025 15:01 2 articles · 8mo ago
DeceptiveDevelopment campaign targets crypto and DeFi developers
Initial DisclosureA North Korean fake-recruiter campaign active since at least 2023 targets developers associated with cryptocurrency and decentralized finance projects through fake job offers on LinkedIn, Upwork, Freelancer.com, and similar platforms, then uses interview social engineering to trigger malware execution while also harvesting developer identities for fraudulent IT workers. The operation has been associated with BeaverTail, InvisibleFerret, OtterCookie, WeaselStore/PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea, and the fake-recruiter activity is tied to the WageMole network of North Korean IT workers.
Show sources
- North Korea’s Fake Recruiters Feed Stolen Data to IT Workers — www.securityweek.com — 26.09.2025 15:01
- North Korea’s Fake Recruiters Feed Stolen Data to IT Workers — www.securityweek.com — 26.09.2025 15:01