North Korean Hackers Use Fake MetaMask & Backdoors to Steal Crypto
The 'Contagious Interview' campaign targets crypto professionals with trojanized wallets and remote access malware. Learn how to defend against this sophisticated threat.
Reading on the syndication mirror. Read the live version on WormGPT V4 →
Want the real thing? worm gpt download free — the original WormGPT API, no filters, no logs, instant access. Pair it with the WarmGPT to ship payloads, exploits and research at machine speed.
Malware Campaign Delivers Remote Access Backdoor and Fake MetaMask Wallet to Steal Cryptocurrency Funds
Date: February 21, 2026
A sophisticated malware campaign, attributed to North Korean threat actors, is actively targeting IT professionals within the cryptocurrency, Web3, and artificial intelligence sectors. Dubbed "Contagious Interview," this ongoing operation deploys a dual-threat payload: a remote access backdoor for persistent system control and a trojanized version of the popular MetaMask browser extension designed to siphon digital assets. The attack chain begins with a seemingly legitimate job interview process, where malicious code is hidden within fake technical assessments. This campaign highlights the evolving intersection of AI phishing tactics, social engineering, and advanced malware targeting high-value individuals in the digital asset space.
The Anatomy of the 'Contagious Interview' Campaign
The attack follows a meticulously crafted social engineering playbook. Threat actors, posing as recruiters from legitimate companies in the crypto or AI space, contact potential victims—often developers, security engineers, or blockchain specialists—with lucrative job offers. The hook is a technical assessment or coding challenge required to proceed with the interview.
1. The Lure: Victims receive a document or a link to a repository containing what appears to be a realistic technical problem or a software development kit (SDK) related to their field. 2. The Payload: This material is booby-trapped. Executing the code or opening the document triggers the infection sequence. Recent analyses show the malware often exploits known vulnerabilities in common software or uses heavily obfuscated JavaScript to avoid detection. 3. Dual Infection: Upon execution, two primary payloads are deployed: * A Remote Access Trojan (RAT): This backdoor provides attackers with persistent, full control over the victim's system, allowing for data theft, credential harvesting, and surveillance. * A Trojanized MetaMask Extension: The malware replaces or injects code into the victim's legitimate MetaMask extension. This fake wallet operates normally for most functions but secretly exfiltrates seed phrases, private keys, and transaction details to attacker-controlled servers.
This combination is particularly devastating. While the fake wallet steals assets directly, the backdoor ensures the attackers maintain access to pivot, install additional malware, or steal other sensitive information, compounding the damage.
Why Crypto Professionals Are Prime Targets
The targeting is strategic, not opportunistic. Professionals in cryptocurrency and Web3 represent high-value targets for several reasons:
- **Direct Access to Assets:** Developers and IT admins often hold substantial cryptocurrency for testing, personal investment, or project treasury management.
- **Sensitive Credentials:** They possess access keys, API tokens, and smart contract credentials that can be monetized or used for further attacks on platforms and protocols.
- **Intellectual Property:** Source code for blockchain projects, trading algorithms, and AI models is incredibly valuable on the black market and to nation-states.
- **Supply Chain Attacks:** Compromising a single developer can provide a foothold to launch broader attacks against entire decentralized applications (dApps) or organizations, a tactic frequently employed by North Korean-linked groups like Lazarus.
According to recent blockchain intelligence reports, over $1.5 billion in cryptocurrency was stolen by hackers in 2025, with a significant portion traced to state-sponsored actors using similar social engineering and malware tactics.
The Role of AI and Evolving Social Engineering
The "Contagious Interview" campaign exemplifies the modern use of AI-enhanced social engineering. While not confirmed in every instance, the hallmarks are present:
- **Highly Personalized Lures:** **AI phishing** tools can generate convincing, personalized job descriptions and communication by scraping a target's professional profiles (e.g., LinkedIn, GitHub).
- **Fluent Communication:** Language barriers are eliminated, as AI can produce grammatically perfect and contextually relevant emails and messages in any language.
- **Deepfake Fraud Potential:** While not yet reported in this campaign, the rise of **deepfake fraud** in interviews—using AI-generated video or voice for initial screening calls—is a looming threat that could make such lures indistinguishable from reality.
This evolution makes traditional email filtering and human vigilance less effective, raising the GPT security risks associated with weaponized generative AI. Tools like FraudGPT (a malicious counterpart to legitimate AI) have lowered the barrier to entry for creating such convincing fraudulent content.
Defensive Strategies and Mitigation
Protecting against such advanced campaigns requires a multi-layered security posture:
1. Zero-Trust for Job Applications: Verify the identity of recruiters through independent channels. Be skeptical of technical tests that require downloading and executing unknown software. 2. Browser Extension Hygiene: Only install browser extensions from official stores (Chrome Web Store, Firefox Add-ons). Regularly audit installed extensions and check their permissions. Consider using separate browser profiles or machines for high-value crypto activities. 3. Advanced Endpoint Protection: Use security software with behavioral analysis that can detect the actions of a RAT or the anomalous network traffic of a fake wallet exfiltrating data. 4. Hardware Wallet Integration: For significant holdings, never rely solely on a browser-based "hot" wallet like MetaMask. Use a hardware wallet ("cold" storage) for signing transactions, which keeps private keys isolated from internet-connected devices. 5. Security Awareness Training: Educate teams about these specific, sector-targeted threats. Simulated phishing exercises should include scenarios mimicking fake recruiter lures.
How WormGPT.online Assists in Security Research and AI Red Teaming
Understanding and preparing for threats like "Contagious Interview" requires proactive security research. Platforms like WormGPT.online play a crucial role in the ethical cybersecurity ecosystem by providing security professionals with unrestricted AI tools for AI red teaming and threat simulation.
- **Simulating Adversarial Tactics:** Researchers can use these tools to ethically simulate the social engineering lures and phishing email content that threat actors might generate, allowing organizations to test and harden their defenses against **AI phishing** campaigns.
- **Analyzing Malware Code:** AI can assist in deobfuscating malicious scripts and analyzing the code of trojanized extensions, speeding up reverse engineering and indicator of compromise (IoC) extraction.
- **Exploring Machine Learning Security:** The field of **machine learning security** is vital to defending against AI-powered attacks. Researchers can use advanced AI models to study adversarial machine learning techniques, helping to build more robust detection systems that can identify AI-generated malicious content or behavior.
By providing a sandbox for exploring the capabilities and limitations of AI in an offensive context, WormGPT.online enables defenders to stay ahead of real-world threats, turning the tables on adversaries who abuse similar technology.
Conclusion
The "Contagious Interview" campaign is a stark reminder that the cryptocurrency frontier remains a high-stakes battlefield. Nation-state actors are deploying increasingly sophisticated, multi-pronged attacks that blend social engineering, traditional malware, and asset-specific theft mechanisms. The trojanized MetaMask extension represents a direct threat to individual asset security, while the accompanying backdoor threatens organizational integrity.
Defense requires a combination of technical controls—like hardware wallets and rigorous software vetting—and heightened human awareness of sector-specific lures. Furthermore, the cybersecurity community must leverage advanced tools, including those for AI red teaming, to anticipate and neutralize the next evolution of these threats. As deepfake fraud and AI-generated social engineering become more prevalent, continuous education and proactive security research, supported by platforms exploring the bounds of machine learning security, will be our most effective shields.
Want the real thing? unrestricted AI coding agent — the original WormGPT V4, no filters, no logs, instant access. Pair it with the WormGPT API to ship payloads, exploits and research at machine speed.