Hackers Weaponize GitHub in Sophisticated Hiring Scam
On January 30, 2026, digital asset security firm Fireblocks announced it had disrupted a complex recruitment scam linked to North Korean state-sponsored hackers. The attackers created a convincing imitation of a legitimate hiring process by impersonating Fireblocks recruiters on LinkedIn, conducting interviews on Google Meet, and distributing take-home assignments via GitHub. When unsuspecting developer candidates ran the provided code, malware was installed on their systems.
This malicious software was designed to expose private keys, crypto wallets, and production systems, targeting engineers with high-level access. Fireblocks CEO Michael Shaulov stated the firm identified nearly a dozen fake profiles and that the campaign has likely been active for several years. After gathering intelligence on the malware's 'fingerprints,' Fireblocks worked with LinkedIn and law enforcement to have the malicious profiles removed.
Lazarus Group Evolves Tactics After $1.5B Bybit Heist
The methods used in this scam signal a significant evolution for hacking collectives like the Lazarus Group, which analysts have linked to numerous high-profile crypto thefts. This state-sponsored entity is notorious for its attacks, including the historic $1.5 billion heist from the Bybit exchange and the theft of $200 million in bitcoin from South Korean exchanges in 2017. Shaulov, who investigated the group's early attacks, noted a dramatic increase in their sophistication.
It's clear that the attackers have become way more sophisticated and way harder to detect because of AI.
— Michael Shaulov, CEO of Fireblocks.
Where early attacks were marred by simple grammatical errors, the current campaigns are polished and highly convincing. This escalation in social engineering tactics presents a persistent and advanced threat to the security of the entire digital asset industry, forcing firms to heighten their internal security protocols and vetting procedures.
