On January 22, publicly available information revealed that after stealing more than USD 2 billion from the cryptocurrency market in 2025, North Korea–linked hacking groups have launched another large-scale offensive. This campaign is led by a group known as PurpleBravo, with its focus shifting toward enterprises in artificial intelligence, cryptocurrency, and financial services.
Monitoring data indicates that attackers attempted to infiltrate more than 3,100 internet-facing addresses associated with these industries. To date, at least 20 organizations across South Asia, North America, Europe, the Middle East, and Central America have been confirmed as affected.
“Technical Interviews” as the Primary Attack Vector
Unlike traditional phishing campaigns, this operation heavily relies on fake recruitment as a social engineering tactic. Attackers impersonate recruiters or technical developers, establishing long-term communication with job seekers and luring them into executing specific tasks during so-called “technical interviews.”
These tasks typically involve reviewing code, cloning repositories, or completing seemingly legitimate programming assignments. Once the target performs these actions on a corporate device, malicious code is implanted, granting attackers persistent access and control over the system.
Customized Malware and Identity Obfuscation
Researchers found that the group employed a range of customized tools during the attacks. Among them, two remote access trojans—PylangGhost and GolangGhost—were used to steal browser credentials and sensitive system information. At the same time, attackers disguised themselves using forged Ukrainian identities to lower victims’ vigilance.
More notably, the attackers developed a “weaponized” version of Microsoft Visual Studio Code and distributed it through malicious Git repositories. When developers unknowingly use these tools in their daily work, backdoors can remain hidden and active over extended periods without detection.
Real-World Challenges to Enterprise Security Boundaries
This incident demonstrates that attacks targeting crypto and high-tech industries are expanding beyond purely on-chain theft to penetrate internal enterprise systems and human workflows. Development environments, recruitment processes, and open-source toolchains are all emerging as new attack surfaces.
For digital asset–related enterprises, internal system compromise can lead not only to the leakage of core code or customer data, but also to downstream on-chain fund risks and compliance violations.
Rising Importance of Security and Compliance Capabilities
As attack methods become increasingly covert, relying solely on traditional network defenses is no longer sufficient to cover all risk scenarios. For enterprises, integrating internal security management with on-chain behavior monitoring—and gradually building the capability to identify abnormal fund flows and associated addresses—is becoming a critical component of systemic risk prevention.
In practice, on-chain risk analysis systems such as Trustformer KYT are increasingly used to complement enterprise response efforts after security incidents, supporting tracing, identification, and risk assessment from an on-chain perspective. As threat vectors continue to evolve, the importance of such capabilities is becoming ever more apparent.