The Buzz
Fireblocks disrupted a North Korea-linked job recruitment scam that used fake interviews on Google Meet and GitHub assignments to install malware targeting crypto infrastructure
â–
Hackers targeted engineers with privileged access via LinkedIn profiles, using AI to create authentic interactions that CEO Michael Shaulov told CNBC now look like “they graduated from Oxford”
â–
The scam has been active for years and mirrors tactics used by North Korea’s Lazarus Group, which stole $1.5 billion from Bybit in 2025 in the largest crypto heist in history
â–
LinkedIn took down almost a dozen fake recruiter profiles after Fireblocks worked with law enforcement, but the rapid AI-driven evolution of nation-state actors poses unprecedented challenges for crypto security
Fireblocks just exposed a sophisticated North Korea-linked operation that’s turning LinkedIn job interviews into cyber weapons. The digital asset infrastructure company disrupted a recruitment scam that weaponized fake hiring processes to plant malware on crypto developers’ machines, potentially exposing wallets, private keys, and production systems. CEO Michael Shaulov says hackers tied to North Korea are evolving at “lightspeed” thanks to AI, making social engineering attacks nearly impossible to detect.
Fireblocks just pulled back the curtain on one of the most sophisticated social engineering operations targeting the crypto industry – and it’s hiding in plain sight on LinkedIn. The digital asset infrastructure company disrupted a North Korea-linked recruitment scam that weaponized the entire hiring process to compromise developers and gain access to crypto infrastructure.
Here’s how it worked: hackers created fake recruiter profiles that closely resembled legitimate Fireblocks hiring processes. They conducted video interviews via Google Meet, shared take-home coding assignments through GitHub, and maintained authentic conversations throughout. When candidates ran what appeared to be routine installation commands for the coding test, they were actually installing malware that could expose wallets, private keys, and production systems.
“What they’re basically doing is that they are weaponizing a legit interview to create a very legit and authentic interaction with candidates,” Fireblocks CEO Michael Shaulov told CNBC. The attackers weren’t casting a wide net – they were hunting specific targets based on LinkedIn profiles, looking for engineers with “privileged access” to critical crypto infrastructure.