NICKEL ALLEY strategy: Fake it ‘til you make it
Contents
NICKEL ALLEY strategy: Fake it ‘til you make it
Victimizing software developers via fake companies, jobs, and code repositories to steal cryptocurrency
March 23, 2026
Author - Sophos Logo
Written by Sophos Counter Threat Unit Research Team
Fake building, just a facade
Threat Research
NICKEL ALLEY
Contagious Interview
North Korea
clickfix
Copy linkLink Copied
X (Twitter) logo
LinkedIn logo
Facebook logo
Counter Threat Unit™ (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware.
In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery. In some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks. Additionally, the group …
Victimizing software developers via fake companies, jobs, and code repositories to steal cryptocurrency
March 23, 2026
Author - Sophos Logo
Written by Sophos Counter Threat Unit Research Team
Fake building, just a facade
Threat Research
NICKEL ALLEY
Contagious Interview
North Korea
clickfix
Copy linkLink Copied
X (Twitter) logo
LinkedIn logo
Facebook logo
Counter Threat Unit™ (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware.
In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery. In some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks. Additionally, the group …