North Korean hackers specialising in cryptocurrency are honing a well-known scam. Previously they relied on fake job offers and investment proposals to spread malware, but their methods are becoming increasingly sophisticated.
While these attacks previously depended on victims interacting directly with infected files, closer coordination between hacker groups has now allowed them to overcome this weakness, using recycled video calls and impersonations of Web3 executives to trick targets.
According to recent reports from digital security firm Kaspersky, North Korean cybercriminals are employing new tools. BlueNoroff APT, a subsection of the Lazarus Group (the most feared North Korea-based criminal organisation - DPRK), has two active campaigns underway, called GhostCall and GhostHire, which share the same management infrastructure.
BlueNoroff, with its 'GhostCall' and 'GhostHire' campaigns, targets the crypto and Web3 sectors with fake calls and job offers to steal millions, according to Kaspersky.
BlueNoroff's "GhostCall" and "GhostHire" target crypto and Web3 with fake calls and job offers to steal millions. Stay safe-learn more on Securelist: https://t.co/cVzvOugqWJ #CyberSecurity #APT #BlueNoroff #SocialEngineering pic.twitter.com/YcbfF4Jj8f
- Kaspersky (@kaspersky) October 28, 2025
New Tactics and Enhanced Social Engineering
In the GhostCall campaign, these North Korean hackers target Web3 executives, presenting themselves as potential investors. GhostHire, on the other hand, lures blockchain engineers with tempting job offers.
Both tactics have been in use since at least last month, but the threat is increasing. Regardless of the target, the scam is the same: the goal is to trick the victim into downloading malware, whether it is a fake 'coding challenge' or a clone of Zoom or Microsoft Teams.
Once the victim interacts with this compromised platform, hackers can breach its systems.
Kaspersky has noted a number of marginal enhancements, such as focusing on operating systems favoured by crypto developers. However, the common vulnerability of these schemes has always been the need for the victim to interact with suspicious software, which has hurt the success rate of previous scams.
Kaspersky Team
To overcome this critical issue, hackers have found a new way to recycle missed opportunities by enhancing social engineering. In addition to Artificial Intelligence (AI)-generated content, they can also use hacked accounts of real entrepreneurs or snippets of real video calls to make their scams believable.
A crypto executive who breaks contact with a suspicious recruiter, for example, could see his image reused and weaponised against new victims. The use of AI allows hackers to synthesise new 'conversations' that mimic a person's tone, gestures and environment with alarming realism. Even when these scams fail, the potential damage remains severe.
Anyone approached in unusual or high-pressure circumstances should remain vigilant: never download unfamiliar software or accept requests that seem out of place.
