North Korean Hackers Are Duping Freelance Developers with Fake Interviews to Steal Cryptocurrency and Deliver Malware — Sophos Warns the 'Nickel Alley' Group Is Using LinkedIn, Upwork, and Fiverr to Target Victims

State‑sponsored cyber actors are increasingly turning to the gig economy to bypass traditional perimeter defenses. Freelance platforms provide a ready pool of technically proficient individuals, many of whom lack corporate security training. Nickel Alley’s fake interview campaign exploits this gap, presenting lucrative contracts that appear legitimate on LinkedIn and freelance sites. Once a developer runs a seemingly innocuous npm install or clones a repository, the malicious code executes a Node.js‑based RAT, granting the attackers direct control over the victim’s environment and a foothold for further lateral movement.

The technical sophistication of the operation is notable. By typosquatting popular npm modules and masquerading as a legitimate development firm on GitHub, the group blends into the open‑source ecosystem, making detection difficult for automated scanners. The PyLangGhost RAT, a Python‑based remote access tool, not only harvests cryptocurrency wallets but also enables the actors to inject additional payloads, facilitating supply‑chain compromises or espionage against the victim’s clients. This dual‑purpose design underscores a strategic shift: financial gain funds broader intelligence objectives, and compromised developers become unwitting conduits for deeper infiltration.

For organizations, the lesson is clear: recruitment channels must be treated as attack vectors. Security teams should monitor anomalous Node.js process activity, enforce strict code‑review policies for third‑party dependencies, and educate developers on the risks of unsolicited job offers. Integrating threat‑intelligence feeds that flag known malicious domains and repositories can further reduce exposure. As the freelance workforce expands, proactive defenses will be essential to protect both digital assets and the integrity of global software supply chains.