Crypto attackers are no longer waiting for weak passwords. They are hiding inside hiring workflows and the developer tools teams already trust.
The crypto job market has a new problem, and it looks a lot like opportunity. A recruiter sends a polished message. A role sounds relevant. The interview process includes a coding task, a meeting app, or a package that looks like routine developer work. Then the machine running that task becomes the target.
This is why the latest warnings matter. Fake job interviews have been used for months to push malware at crypto and software developers, but the playbook is now spreading across the wider developer workflow. According to Socket, a campaign reported on May 24 called TrapDoor used 36 malicious packages across npm, PyPI, and Crates.io to steal crypto wallets, SSH keys, cloud credentials, GitHub tokens, browser data, and environment variables.
That is not just a consumer scam with better packaging. It is an attack on the people who build and maintain crypto infrastructure. Developers often have local wallet data, private keys, deployment credentials, repository access, and testnet or mainnet tooling on the same machines they use for interviews, freelance work, and open source contributions. For attackers, that makes them more valuable than ordinary users.
The fake interview model works because it borrows from normal behavior. Candidates are used to cloning repositories, installing dependencies, running technical assessments, joining unfamiliar meeting links, and proving they can move quickly. In crypto, where remote work and pseudonymous teams are common, that trust gap is even wider.
Microsoft detailed the Contagious Interview campaign in March, describing attackers who posed as recruiters from cryptocurrency trading firms or AI companies and asked victims to clone and execute npm packages from GitHub, GitLab, or Bitbucket. In some cases, the trap moved through Visual Studio Code, where trusting a repository could allow a task configuration file to fetch and load a backdoor.
The malware families in that campaign were not crude. Microsoft said OtterCookie, one of the most observed backdoors, had evolved from a simple tool for command execution and crypto key searches into a more modular program capable of broader data theft, obfuscation, remote commands, and targeted collection. The first touch may look like recruiting spam, but the second stage can look like professional intrusion tooling.
Dr.Web researchers also found JobStealer campaigns using fake video interview services such as MeetLab, Meetix, Juseo, and Carolla. HackRead reported that those sites presented themselves as clean conferencing platforms, then pushed Windows and macOS malware aimed at crypto wallet extensions, browser credentials, Telegram session files, Apple Notes, Ledger Live traces, and Trezor Suite traces. Some versions searched Chromium-based browsers for roughly 300 wallet extensions.
The newest attacks follow the tools
TrapDoor shows where this is going. Instead of depending only on a recruiter conversation, the campaign placed malicious packages in the registries developers already use. Socket said the activity spanned 36 packages and hundreds of related versions and artifacts, with names designed to look useful to crypto, DeFi, AI, and security developers.
The mechanics were familiar but dangerous. npm packages used postinstall hooks. PyPI packages executed remote JavaScript on import. Crates.io packages targeting Sui and Move developers used build scripts that run during compilation. A developer may think they are installing a wallet safety checker, a Solidity helper, or a Move build tool, while the package is looking for keys and credentials in the background.
The AI angle makes the campaign more current. Socket found attempts to plant hidden instructions inside files such as .cursorrules and CLAUDE.md, which are used to guide AI coding assistants. The apparent goal was to make a future assistant session run a security scan or similar workflow that discovers and exfiltrates secrets. Whether every version works reliably is less important than the direction of travel. Attackers are designing for the way developers now build software.
North Korean groups remain a major concern in this area. Sophos has attributed fake interview activity to Nickel Alley, a North Korea-linked threat group that targets developers in technology and finance through LinkedIn, Upwork, Fiverr, fake company pages, and GitHub repositories. The group has used coding tests and repository downloads to deliver malware, with cryptocurrency theft as a main objective and follow-on access for supply chain compromise or espionage as another risk.
Crypto firms need hiring controls, not just wallet controls
The practical lesson is uncomfortable. A hardware wallet policy will not protect a company if a developer machine also holds GitHub tokens, cloud credentials, seed phrases in notes, SSH keys, and local environment files. The hiring pipeline now has to be treated like a production access pathway.
For crypto teams, that means verifying recruiter identities through official company domains, separating interview tasks from machines that touch wallets or production systems, banning arbitrary terminal commands during hiring, and requiring candidates and employees to run assessments in disposable environments. It also means monitoring Node.js, Python, Rust build scripts, and package installation behavior for unexpected network calls or credential access.
There is also a market implication. As crypto hiring picks up, attackers have a larger pool of anxious candidates and busy founders to exploit. Decentralized identity tools and verified recruiter systems may help, but they will not replace basic operational discipline. The firms that handle this well will be the ones that design hiring, development, and wallet access as one connected risk.
The next phase of crypto security will be less about spotting obvious phishing emails and more about controlling trusted workflows. If an interview task can reach a private key, the problem is not only the scam. It is the system that let a job interview get that close to the money.
Also read: SoftBank’s OpenAI bet is becoming the market’s AI IPO signal. • AI momentum is now carrying the global stock market higher • Japan's AI rally is changing how retail traders reach the market
