Crypto Wasted: BlueNoroff’s Ghost Mirage of Funding and Jobs
2025-10-29 • Kaspersky •
BlueNoroff/APT38 activity described in the presentation spans two financially motivated campaign tracks against the Web3 and cryptocurrency ecosystem. Ghost to Gold targets executives, founders, investors, and venture-capital contacts with compromised Telegram accounts, fake Zoom-style meeting pages, macOS shell/Swift credential theft, and stolen victim video/profile material reused for follow-on social engineering. Ghost to Hire targets developers and engineers through recruiter personas, deceptive LinkedIn/Telegram contact, and malicious coding-assessment projects that pull Windows scripts and additional Go/Rust payloads. The speakers connect the campaigns through overlapping infrastructure, targeting, and earlier SnatchCrypto-linked activity, with observed theft of browser-extension, password-manager, keychain, cloud, GitHub, npm, and cryptocurrency-related credentials.