A North Korean state-sponsored cyber operation, part of the **Contagious Interview** campaign, targeted professionals in the cryptocurrency sector—including employees at **Robinhood**—by impersonating recruiters from legitimate firms. Victims, lured via fake job offers (e.g., Portfolio Manager roles), were tricked into executing malicious command-line scripts during fabricated skill assessments, unknowingly installing malware. Over **230 confirmed victims** (with estimates far higher) across marketing and finance roles in crypto companies were compromised between **January–March 2025**. The attack exposed operational security failures by the threat actors, including **leaked victim databases, error logs, and directory contents** from their infrastructure (e.g., `api.release-drivers[.]online`). While no explicit data breach of Robinhood’s systems was confirmed, the campaign’s focus on **cryptocurrency professionals** suggests potential exposure of sensitive financial or personal data tied to employees or customers. The attackers’ rapid infrastructure replacement tactics and use of **real-time intelligence platforms (Validin, VirusTotal)** to evade detection highlight a persistent, adaptive threat. The incident underscores risks to **reputation, financial security, and operational trust** in targeted firms, with broader implications for the crypto industry’s vulnerability to state-backed cyber espionage and fraud.
Source: https://gbhackers.com/north-korean-hackers/
TPRM report: https://www.rankiteo.com/company/robinhood
"id": "rob0392303090725",
"linkid": "robinhood",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '230+ (Identified Victims)',
'industry': 'Financial Services (Cryptocurrency)',
'location': 'Global (Multi-Country)',
'name': 'Cryptocurrency/Blockchain Companies (General)',
'type': 'Private Sector'},
{'industry': 'Blockchain',
'name': 'Archblock',
'type': 'Private Sector'},
{'industry': 'Financial Services',
'location': 'United States',
'name': 'Robinhood',
'type': 'Public Company'},
{'industry': 'Financial Services (Trading)',
'location': 'Global',
'name': 'eToro',
'type': 'Private Sector'}],
'attack_vector': ['Phishing (Fake Job Offers)',
'Social Engineering (ClickFix)',
'Malicious Command-Line Execution',
'Fake Skill Assessment Websites'],
'customer_advisories': ['Public alerts issued via SentinelLABS/Validin '
'channels.',
'Guidance shared on identifying fake job scams (e.g., '
'command-line execution requests).'],
'data_breach': {'data_exfiltration': 'Yes (Victim Databases Exposed)',
'file_types_exposed': ['Error Logs',
'Victim Information Databases',
'ContagiousDrop Application Logs'],
'number_of_records_exposed': '230+ (Minimum)',
'personally_identifiable_information': ['Names',
'Email Addresses '
'(e.g., '
'brooksliam534[@]gmail.com)',
'Professional Roles',
'Company '
'Affiliations'],
'sensitivity_of_data': 'High (PII + Financial Sector '
'Targeting)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Professional Resumes/CVs',
'Cryptocurrency Credentials '
'(Potential)',
'Victim Interaction Logs']},
'date_detected': '2025-03-11',
'date_publicly_disclosed': '2025-03-11',
'description': 'A sophisticated North Korean cyber operation (Contagious '
'Interview campaign) was exposed, revealing how '
'state-sponsored hackers systematically monitor cybersecurity '
'intelligence platforms (e.g., Validin, VirusTotal, Maltrail) '
'to detect takedowns of their malicious infrastructure and '
'rapidly deploy replacements. The campaign primarily targets '
'cryptocurrency/blockchain professionals using social '
'engineering (ClickFix) via fake job offers, tricking victims '
'into executing malware-laden command lines. Over 230 victims '
'were identified between January–March 2025, with actual '
'numbers likely higher. The operation demonstrates '
'decentralized command structures, rapid infrastructure '
'replacement over protection, and exposure of victim databases '
'due to operational security failures.',
'impact': {'brand_reputation_impact': ['High (for Impersonated Companies)',
'Erosion of Trust in Cryptocurrency '
'Job Market'],
'data_compromised': ['Victim Personal Information',
'Professional Credentials',
'Cryptocurrency-Related Data'],
'identity_theft_risk': 'High (Victim PII Exposed)',
'operational_impact': ['Compromised Victim Systems',
'Potential Cryptocurrency Theft',
'Reputational Damage to Impersonated '
'Companies (Archblock, Robinhood, eToro)'],
'systems_affected': ['Victim Endpoint Devices (via Malware)',
'Fake Assessment Websites (e.g., '
'release-drivers[.]online)']},
'initial_access_broker': {'backdoors_established': 'Yes (ContagiousDrop '
'Applications)',
'entry_point': ['Fake Job Offers (LinkedIn/Email)',
'Fabricated Skill Assessment '
'Websites'],
'high_value_targets': ['Cryptocurrency '
'Professionals',
'Finance/Marketing Roles in '
'Blockchain Companies'],
'reconnaissance_period': 'Real-Time (Monitoring '
'Threat Intelligence '
'Platforms)'},
'investigation_status': 'Ongoing (Active Threat)',
'lessons_learned': ['North Korean actors leverage threat intelligence '
'platforms (e.g., Validin) to monitor and evade '
"detection, creating a 'cat-and-mouse' dynamic with "
'defenders.',
'Decentralized command structures and internal '
'competition hinder comprehensive infrastructure '
'protection, leading to rapid replacement over hardening.',
'Social engineering via fake job offers remains highly '
'effective, particularly in high-trust industries like '
'cryptocurrency.',
'Exposed operational data (e.g., error logs, victim '
'databases) provides critical insights into adversary '
'TTPs but also highlights their operational security '
'gaps.',
'Collaboration between threat intelligence providers and '
'service providers is essential for disrupting APT '
'operations, though rapid infrastructure replacement '
'remains a challenge.'],
'motivation': ['Financial Gain (Cryptocurrency Theft)',
'Sanctions Evasion',
'Intelligence Gathering',
'Revenue Generation for Regime'],
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
'intelligence platforms for '
'adversary activity.',
'Automated detection of '
'APT-linked domain '
'registrations.',
'Public-private '
'collaboration to disrupt '
'replacement infrastructure '
'cycles.',
'Victim support mechanisms '
'for compromised '
'individuals.'],
'root_causes': ['Over-reliance on rapid '
'infrastructure replacement due to '
'decentralized command and '
'internal competition.',
'Operational security failures '
'(exposed error logs, victim '
'databases).',
'Effective exploitation of human '
'trust in job-seeking processes.',
'Leverage of legitimate threat '
'intelligence platforms for '
'adversary reconnaissance.']},
'ransomware': {'data_exfiltration': 'Yes (via ContagiousDrop Tools)'},
'recommendations': [{'for_job_seekers': ['Verify the legitimacy of '
'unsolicited job offers, especially '
'in cryptocurrency/blockchain '
'sectors.',
'Avoid executing command-line '
'instructions during application '
'processes.',
'Scrutinize assessment domains '
'(e.g., check for recent '
'registration, suspicious TLDs).',
'Use multi-factor authentication '
'(MFA) on professional accounts.']},
{'for_companies': ['Implement employee training on social '
'engineering risks, particularly for '
'roles targeted by APTs (e.g., '
'finance, marketing).',
'Monitor for impersonation of your '
'brand in job scams (e.g., fake '
'LinkedIn profiles, spoofed domains).',
'Share IOCs with threat intelligence '
'communities to enable proactive '
'takedowns.']},
{'for_threat_intelligence_communities': ['Enhance '
'detection of '
'adversary '
'reconnaissance '
'on intelligence '
'platforms '
'(e.g., '
'anomalous '
'search '
'patterns).',
'Develop '
'automated '
'alerts for '
'known APT '
'infrastructure '
'being queried '
'by suspicious '
'accounts.',
'Improve '
'coordination '
'with service '
'providers to '
'accelerate '
'takedowns and '
'disrupt '
'replacement '
'cycles.']},
{'for_service_providers': ['Proactively scan for and '
'suspend domains linked to '
'known APT campaigns (e.g., '
'Contagious Interview).',
'Implement stricter '
'registration controls for '
'domains mimicking legitimate '
'financial/blockchain '
'companies.',
'Provide APIs for threat '
'intelligence sharing to '
'enable real-time '
'disruption.']}],
'references': [{'date_accessed': '2025-03-11',
'source': 'SentinelLABS & Validin Joint Report'},
{'date_accessed': '2025-03-11',
'source': 'Lazarus APT Infrastructure Blog Post (March 11, '
'2025)'}],
'response': {'communication_strategy': ['Public Report by SentinelLABS',
'Media Outreach',
'Social Media Alerts (LinkedIn, X)'],
'containment_measures': ['Infrastructure Takedowns by Service '
'Providers',
'Public Disclosure of IOCs'],
'enhanced_monitoring': ['Threat Intelligence Sharing',
'Collaboration with Service Providers'],
'incident_response_plan_activated': 'Yes (by SentinelLABS & '
'Validin)',
'remediation_measures': ['Victim Awareness Campaigns',
'Job Seeker Vigilance Advisories'],
'third_party_assistance': ['Validin', 'SentinelLABS']},
'stakeholder_advisories': ['Cryptocurrency/blockchain industry professionals '
'warned of targeted social engineering.',
'Job platforms (e.g., LinkedIn) advised to monitor '
'for fake recruiter accounts (e.g., '
"'liambrooksman').",
'Financial regulators notified of sanctions '
'evasion risks.'],
'threat_actor': ['Lazarus Group (Suspected)',
'North Korean State-Sponsored Actors'],
'title': 'Contagious Interview Campaign by North Korean State-Sponsored '
'Hackers (2025)',
'type': ['APT (Advanced Persistent Threat)',
'Social Engineering',
'Malware Distribution',
'Espionage',
'Financial Theft'],
'vulnerability_exploited': ['Human Trust (Job Seekers)',
'Lack of Command-Line Execution Awareness',
'Unverified Assessment Domains']}