Cisco Talos has identified a campaign of cyberattacks by the North Korea-associated hacker group Famous Chollima. The attacks use fake job advertisements, targeting cryptocurrency enthusiasts.

The group entices with job opportunities where experience working with cryptocurrency is requested and where the ads purport to be for jobs at well-known crypto companies such as Coinbase, Archblock and UniswapThose who are exposed to the attack receive a link to a job posting and an invitation code. The site where the ad is located is designed as a multi-step process where the user is asked to complete various tests and also provide personal information.

As the final step in the process, you are asked to record a short video for the interviewer, and use the computer's webcamWhen the applicant is about to give the site access to the camera, an error message appears, asking the applicant to “update their drivers” – but if they follow the instructions, they instead download a Trojan file.

Advertisement

The attacks have been traced since the summer of 2024 and target both Windows and MacOS usersIn May 2025, a new variant of was discovered trojan software which is based on the Python programming language, which indicates that the campaign and methodology continue to be active and evolving.  

In addition to installing malicious software on the applicants' computers, Famous has also Chollima used the information provided during the “interview process,” which was stolen from hijacked devices, to create fake identities. These are used to infiltrate various companies by applying for real remote jobs with them.