Cisco Talos has documented a campaign of cyberattacks carried out by the North Korea–linked hacking group Famous Chollima. The attackers use fake job listings aimed at people interested in cryptocurrency.
The group lures candidates with job offers that ask for experience working with cryptocurrencies, posing as openings at well-known crypto companies such as Coinbase, Archblock and Uniswap. Targets receive a link to the job posting and an invitation code. The site hosting the listing is presented as a multi-step application process where applicants are asked to complete various tests and provide personal information.
As the final step, applicants are asked to record a short video for the interviewer using their computer webcam. When the candidate attempts to grant the site access to the camera, an error message appears instructing them to “update their drivers.” If the user follows these instructions, they download a trojan file instead of a legitimate driver update.
The attacks have been tracked since the summer of 2024 and target both Windows and macOS users. In May 2025, researchers discovered a new variant of the trojan written in Python, indicating the campaign remains active and continues to evolve.
Beyond installing malicious software on applicants’ devices, Famous Chollima has also used information submitted during the “interview process,” and data exfiltrated from compromised machines, to create fake identities. Those fabricated profiles are then used to infiltrate organizations by applying for legitimate remote positions.
Security teams and job seekers should be cautious when responding to unsolicited recruitment messages, especially those promising remote crypto roles. Verify job offers directly through official company channels, avoid downloading executables from unfamiliar sites, and be suspicious of any request to enable hardware or install drivers during an application process. Keeping operating systems and security software up to date and using multi-factor authentication can help reduce the risk of account takeover and device compromise.