North Korean state-linked hackers are running an elaborate hiring scam that installs a new remote-access trojan dubbed “PylangGhost” on the computers of cryptocurrency professionals, according to threat-intelligence firm Cisco Talos. The operation, active since mid-2024, impersonates recruiters from well-known exchanges such as Coinbase and Uniswap and directs job seekers—mostly in India—to convincing replica career sites. Candidates are asked to complete skill tests and then copy commands disguised as video-driver installations, which silently drop the Python-based malware. PylangGhost can steal credentials and cookies from more than 80 browser extensions, including the Metamask wallet and password managers like 1Password, and maintain persistent remote access for further exploitation. Cisco Talos attributes the campaign to the North Korean group “Famous Chollima,” also known as Wagemole, which has adapted an earlier Golang variant that targeted macOS users. The tactic broadens Pyongyang’s focus from direct exchange heists to infiltrating individuals with inside access to digital-asset infrastructure. A joint statement by Japan, South Korea and the United States said North Korean-backed groups—including Lazarus—siphoned at least $659 million in cryptocurrency last year. Security researchers are urging blockchain firms to tighten verification of recruiters, while Indian experts call for mandatory cyber-security audits and stronger oversight of fake job portals.