The cryptocurrency job market is booming, with thousands of positions available across DeFi protocols, blockchain infrastructure companies, and AI-crypto startups. But in April 2025, the FBI seized the domain of a company called Blocknovas — a cryptocurrency startup that looked completely legitimate but was actually a front for North Korean hackers. If you are looking for work in the crypto industry, this guide will help you identify the red flags before you become the next victim.
The Basics
State-sponsored hacking groups, particularly North Korea’s Lazarus Group, have increasingly targeted cryptocurrency professionals through fake job recruitment schemes. The Blocknovas campaign, exposed in late April 2025, revealed just how sophisticated these operations have become. The hackers created three fake companies — Blocknovas, Angeloper, and SoftGlide — complete with professional websites, AI-generated employee headshots, and fabricated LinkedIn profiles with realistic career histories.
The scheme worked like this: a crypto developer would see a job posting on LinkedIn or a job board, apply for the position, go through multiple rounds of interviews with people who seemed legitimate, and then be asked to download a “coding exercise” or “technical assessment tool” as part of the final round. That download contained malware designed to steal cryptocurrency wallet credentials, private keys, and access to the victim’s development environment.
With Bitcoin trading around $94,647 and the total cryptocurrency market valued at over $3.3 trillion, developers who work in this industry are high-value targets. A single compromised wallet or stolen private key can result in losses worth millions of dollars.
Why It Matters
You might think this only happens to other people, but the Lazarus Group’s campaign targeted dozens of experienced blockchain developers across multiple countries. These are smart, cautious professionals who simply encountered a scam that was more sophisticated than anything they had seen before. The use of AI-generated content means the old indicators of a scam — poorly written emails, obviously fake photos, broken website links — are no longer reliable.
Beyond the immediate financial loss from stolen credentials, victims of these schemes face additional consequences. Personal information shared during the fake interview process — including work history, technical skills, and current employer details — can be used for future targeted attacks. In some cases, compromised developer credentials have been used to inject malicious code into open-source repositories, affecting thousands of downstream users.
Getting Started Guide
Protecting yourself starts with a simple verification framework that you should apply to every job opportunity in the crypto space. Here is a step-by-step approach:
Step 1: Verify company registration. Every legitimate US company must be registered with a state government. Use the Secretary of State website for the state where the company claims to be incorporated. Search for the company name and verify that the registration date, registered agent, and business address are consistent with what the company claims. The Blocknovas domain was registered only weeks before the campaign launched — a major red flag for a company claiming years of operation.
Step 2: Cross-reference employees. If someone from the company contacts you on LinkedIn, look at their profile carefully. Do they have connections you recognize in the industry? Can you find evidence of their employment on other platforms — GitHub contributions, conference talks, academic papers? AI-generated profiles often have generic work histories that cannot be independently verified.
Step 3: Check for a physical presence. Can you verify the company’s office address using Google Street View? Do they have a phone number that connects to a real receptionist? Can you find independent news articles mentioning the company from before you were contacted? Fake companies often list addresses that are actually virtual office services or co-working spaces.
Step 4: Never download software from an interviewer. This is the single most important rule. No legitimate employer will ask you to download executable files during a job interview. If a company asks you to install a custom application, browser extension, or development tool as part of the interview process, stop all communication immediately. Legitimate technical assessments use standard platforms like CoderPad, HackerRank, or your own local development environment.
Step 5: Use sandboxed environments. If you must interact with a company’s platform as part of an assessment, do it inside a virtual machine or Docker container that you can discard afterward. Never use your primary development machine or a machine that has access to your cryptocurrency wallets.
Common Pitfalls
The biggest mistake crypto professionals make is assuming that a polished online presence indicates legitimacy. In 2025, AI tools can generate an entire corporate identity — website, blog posts, employee photos, social media profiles — in hours. A professional-looking website means nothing.
Another common pitfall is letting excitement override caution. The crypto job market is competitive, and when a promising opportunity appears, it is natural to want to move quickly. Attackers exploit this urgency by creating time pressure — claiming the position needs to be filled immediately, scheduling rapid-fire interview rounds, and pushing candidates to complete assessments quickly. Legitimate companies understand that good security practices take time.
A third pitfall is assuming that because you found the job listing on a reputable platform, it must be legitimate. The Lazarus Group posted their fake positions on mainstream job boards and LinkedIn, platforms that do not independently verify every employer.
Next Steps
Start applying this verification framework to every professional contact you receive in the crypto space, starting today. Bookmark your state’s Secretary of State business search page. Set up a dedicated virtual machine for any interactions with new companies. And most importantly, share this knowledge with your colleagues — the best defense against social engineering is a community that knows what to look for.
If you believe you have been targeted by a fake company, report the incident to the FBI’s Internet Crime Complaint Center at ic3.gov and notify the platform where you encountered the fraudulent listing. Your report might prevent the next developer from becoming a victim.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
Interesting perspective — I hadn’t considered that angle before
The gap between crypto and TradFi is narrowing fast
The pace of innovation in crypto continues to surprise me
the coding exercise malware trick is brutal. devs literally applying for jobs and downloading their own compromise
imagine applying for your dream crypto job and the coding exercise is literally a trojan. devs need to verify companies independently before downloading anything
exactly. the malware was disguised as a take-home coding challenge. you literally build the exploit into your own dev environment and run it yourself
three fake companies with AI headshots and fabricated linkedin profiles. lazarus group is running a full HR department at this point
lazarus running a full HR pipeline with AI headshots and fake linkedin histories is next level. the blocknovas setup had a careers page and everything
the careers page was fully functional too. job descriptions, benefits, even a glassdoor listing. lazarus basically built a complete startup just to trap a handful of devs
companies using AI headshots for fake employees is wild. ran a reverse image search on three staff photos from a crypto startup last month, all came back as generated faces