On January 22, 2026, Fireblocks unveiled a disturbing campaign orchestrated by North Korean hackers, specifically linked to the notorious Lazarus Group. This operation, named “Operation Contagious Interview,” aimed to lure cryptocurrency developers into a trap using a fake job recruitment scam.
The hackers masqueraded as Fireblocks recruiters on LinkedIn, meticulously crafting profiles that appeared legitimate. These profiles included plausible work histories, professional images, and networks associated with the blockchain and tech sectors. Once engaged, targeted developers received well-designed PDFs detailing a fictitious project called the “Fireblocks Poker Platform.”
To enhance credibility, the scammers created detailed Figma boards and avoided common errors seen in phishing attempts. The attack was notably sophisticated; it referenced recent company updates, such as Fireblocks” acquisition of Dynamic, which had been announced shortly before the scam”s emergence.
As part of the scheme, potential victims underwent video interviews via Google Meet, during which interviewers asked standard questions about their experience and salary expectations. After discussing their qualifications, candidates were abruptly told the interviews were over, just before being assigned a “code review task.”
The malicious code was executed when victims followed typical developer procedures by cloning a GitHub repository and running the command “npm install.” This critical step enabled malware to infiltrate their systems.
Adding to the complexity, the attackers employed a technique known as “EtherHiding,” which utilized blockchain smart contracts to maintain their command-and-control operations, making detection and removal significantly more challenging.
In identifying the threat actor, Fireblocks connected the operation to APT 38, the same group responsible for previous scams. The investigation revealed that this operation closely mirrored earlier attempts to impersonate Multibank Group using a similar poker platform scam.
The objective of these attacks was clear: to gain financial access through stolen credentials, private keys, seed phrases, and entry to development environments. By executing malicious code on company devices, hackers could establish footholds within organizational systems, making developers prime targets.
Fireblocks identified twelve false identities utilized throughout the campaign, including names like “Agnes Gonzales” and “Roman Creed.” Red flags included the use of personal email addresses for corporate recruitment, links to Calendly on personal domains, AI-generated profile content, and LinkedIn accounts with minimal activity that suddenly became very active.
The operation came to light when multiple job seekers reached out directly to Fireblocks employees, inquiring about the so-called “Fireblocks Poker Platform.” These inquiries prompted an investigation by the security team, which confirmed the impersonation and initiated reporting to LinkedIn for the takedown of the fraudulent profiles. Malicious repositories were also removed in coordination with intelligence partners and law enforcement.
For those navigating the job market in the cryptocurrency sector, Fireblocks advises verifying all recruiter communications against official company careers pages. Legitimate recruiters affiliated with Fireblocks utilize verified LinkedIn profiles that are authenticated with company email addresses. If an interviewer requests that you clone a repository and execute installation commands, it warrants a careful reconsideration, even if everything else seems professional.
