Verify a decision

{"actor":"system:backfill","investigation_id":"557dd4db-e870-418e-a663-106e68d930b0","kind":"publish","page_slug":"trifleck","published_at":"2026-05-28T01:44:13.382Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Trifleck","sections":[{"content":"Trifleck presents itself online as a B2B software development and digital growth partner helping businesses design, build, and scale high-impact digital products, with a listed address of 1133 Louisiana Ave, Winter Park, FL 32789, USA. No verifiable business registration for Trifleck has been found in Florida or Delaware public records. The trifleck.com domain was registered on May 21, 2025, through Namecheap, using an Icelandic privacy proxy (Withheld for Privacy ehf). The domain fleckpublisher.com, a suspected sister shell, was registered three hours and ten minutes after trifleck.com on the same date, sharing the same registrar, DNS provider (Vilords), and privacy proxy. Three additional shell entities — Fleck Publisher, Virginia Book Publisher, and The Creative Unit — have been identified sharing this same infrastructure cluster. The Creative Unit's LinkedIn page was deleted following public disclosure of the campaign.","heading":"Entity Overview and Business Registration Status","severity":"critical","sources":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"}]},{"content":"On May 6, 2026, a senior frontend engineer in Bengaluru (identified as Anil N, with approximately 15 years of experience and formerly employed at io.net and Vimeo) received a LinkedIn connection request and direct message from a persona named John Burleson, claiming to be COO at Trifleck. The message offered a Frontend Expert position at $50–$100 per hour. The recruiter persona was not listed among Trifleck's LinkedIn employee directory and bypassed standard resume review, proceeding directly to a 'pre-interview code review' step. The attack followed what cybersecurity researchers describe as a 'familiar recruitment arc': screening questions, a project brief PDF, Calendly scheduling, and delivery of a malicious code package. The recruiter photo used by the John Burleson persona was verified to have been stolen from a 14-year-old Gravatar account (handle: pastorwynn), predating the trifleck.com domain registration by more than a decade. Four employees listed across Trifleck's LinkedIn profile, spanning four different countries, each showed an identical tenure of '5 years 1 month' at a company whose domain is approximately twelve months old. Trifleck's Terms of Service page was found to contain unfilled template placeholder text, a further indicator of a hastily constructed front.","heading":"Attack Campaign: LinkedIn Recruitment Lure","severity":"critical","sources":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"credibility":2,"name":"$17 billion lost to crypto scams in 2025. The fake job interview is the new front line.","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/web3-job-scams-fake-interview/"}]},{"content":"The malicious payload was delivered as a ZIP file named Blockstar.zip, purportedly containing a code review project. The ZIP contained a malicious npm project; executing git checkout dev triggered preinstall and postinstall npm hooks that silently installed malware. The malware family has been classified as Trojan-Downloader.Shell.Agent. This delivery method — abusing npm lifecycle scripts — is a documented hallmark of the broader Contagious Interview cluster, in which attackers weaponize Visual Studio Code task configurations, npm preinstall/postinstall hooks, and paste-and-run commands to achieve initial execution without requiring any overt user consent beyond running npm install. Shared infrastructure indicators include: Namecheap as the domain registrar, Vilords as the DNS provider, Withheld for Privacy ehf (Iceland) as the WHOIS privacy proxy, and a shared U.S. address (8201 Greensboro Dr, McLean VA 22102) appearing across at least two entities in the shell cluster.","heading":"Malware Delivery and Technical Indicators","severity":"critical","sources":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"credibility":1,"name":"Contagious Interview: Malware delivered through fake developer job interviews | Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/"}]},{"content":"The Trifleck campaign shares tactical, technical, and procedural characteristics with the Contagious Interview cluster, which has been attributed by multiple independent threat intelligence organizations to DPRK-aligned state actors. Microsoft Threat Intelligence tracks this cluster as Sapphire Sleet. Palo Alto Unit 42 tracks it as CL-STA-0240. Mandiant tracks it as UNC5342. Trend Micro tracks it as Void Dokkaebi / Famous Chollima. The FBI has publicly associated the playbook with the label TraderTraitor. The cluster has been documented as continuously active since at least December 2022. Malware families associated with the broader cluster include OtterCookie (JavaScript-based backdoor), BeaverTail (infostealer/loader), InvisibleFerret (Python backdoor), and FlexibleFerret (Go/Python modular RAT). The Trifleck campaign's use of a malicious npm project with lifecycle hook execution, a stolen recruiter identity, fabricated company infrastructure, and targeting of Web3/crypto developers is consistent with the documented tactics of this cluster. Attribution of the Trifleck-specific instance to a nation-state actor has not been independently confirmed by a Tier 1 government source as of the date of this report; the connection to Contagious Interview tactics is assessed as high-confidence based on convergent Tier 1 and Tier 2 threat intelligence.","heading":"Attribution: Contagious Interview / DPRK Nexus","severity":"high","sources":[{"credibility":1,"name":"Contagious Interview: Malware delivered through fake developer job interviews | Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/"},{"credibility":1,"name":"Dissecting Sapphire Sleet's macOS intrusion from lure to compromise | Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"},{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"}]},{"content":"The use of fabricated U.S.-registered shell companies to conduct malware campaigns targeting crypto developers has prior documented precedent attributed to Lazarus Group sub-units. In April 2025, the FBI seized the domain of Blocknovas LLC (registered in New Mexico at a South Carolina address that turned out to be an empty lot) and disclosed that it and Softglide LLC (registered in New York at a Buffalo tax office) had been used to distribute malware through fake developer job interviews. The FBI alleged those entities were operated by a Lazarus Group sub-unit under the Reconnaissance General Bureau (RGB). The Trifleck cluster employs the same registration pattern — a U.S. address with no verifiable physical presence, budget infrastructure, and Icelandic WHOIS privacy — that characterized the Blocknovas/Softglide operation. Trifleck itself is not named in any FBI or regulatory action as of this report's date.","heading":"Historical Context: DPRK Shell Company Precedents","severity":"high","sources":[{"credibility":2,"name":"Crypto Developers Targeted by U.S. Registered North Korean Firms | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2025/04/25/north-korean-hackers-targeting-crypto-developers-with-u-s-shell-firms"},{"credibility":2,"name":"FBI shuts down crypto fraud site linked to Lazarus Group | Coin Journal","type":"news_article","url":"https://coinjournal.net/news/fbi-seizes-crypto-scam-domain-tied-to-north-koreas-lazarus-group/"},{"credibility":2,"name":"Lazarus Group Slips Through US Business Systems With Fake LLCs To Spread Malware | CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/lazarus-group-malware-fake-llc-us/"}]},{"content":"The initial-access playbook used in the Contagious Interview cluster — fake recruiter contact, fabricated company, malicious code-review task — has been linked by threat intelligence researchers to a pattern of devastating crypto protocol breaches. The Ronin Bridge was drained of approximately $620 million in March 2022 via a spear-phishing attack attributed by the FBI to Lazarus Group / APT38. CoinsPaid lost $37.3 million in July 2023; CoinsPaid's own post-incident report cited that an employee received a fake job offer and, during a staged interview process, was directed to install a malicious application that harvested credentials. Drift Protocol, the largest decentralized perpetual futures exchange on Solana, was exploited for approximately $285–286 million on April 1, 2026 following a multi-month social engineering campaign attributed with medium confidence to North Korean state-sponsored actors by Elliptic and TRM Labs. These precedents illustrate the scale of damage that can result when the initial-access technique deployed by campaigns like Trifleck succeeds.","heading":"Broader Campaign Damage: Prior Attacks Consistent with This Playbook","severity":"high","sources":[{"credibility":1,"name":"US Officials Tie North Korea's 'Lazarus' Hackers to $625M Ronin Exploit | CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"credibility":2,"name":"CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto | BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/coinspaid-blames-lazarus-hackers-for-theft-of-37-300-000-in-crypto/"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation | The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"North Korea-linked Elliptic/TRM Labs on Drift Protocol | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/drift-protocol-exploit-linked-to-bybit-hack/"}]},{"content":"Cybersecurity researchers have identified a set of consistent red flags present in the Trifleck campaign and Contagious Interview-pattern attacks more broadly. These include: unsolicited LinkedIn contact from a recruiter not appearing in the company's own employee list; a 'review codebase before the interview' instruction (described by Cyber Secify as the 'single most consistent fingerprint' of the campaign); skipping resume review before delivering a code assignment; workforce composition anomalies (e.g., more HR and business development staff than engineers at an alleged software firm); backdated identical employment tenures across employees in multiple countries; and Terms of Service or legal pages containing unfilled template placeholders. The campaign has been documented continuously since December 2022 with no signs of abatement.","heading":"Warning Signals for Potential Targets","severity":"medium","sources":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"credibility":2,"name":"$17 billion lost to crypto scams in 2025. The fake job interview is the new front line.","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/web3-job-scams-fake-interview/"}]},{"content":"The malicious ZIP file delivered in this campaign was named Blockstar.zip. Blockstar Corporation is a real, unrelated Chicago-based blockchain technology firm. The use of the Blockstar name in the payload file is alleged to be deliberate identity misuse intended to lend the package a veneer of legitimacy, not an indication that Blockstar Corporation is involved in or aware of the campaign. The Cyber Secify investigation characterizes Blockstar Corporation as a victim of name misuse rather than a participant.","heading":"Relationship to Blockstar Corporation","severity":"low","sources":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"}]}],"sources_used":[{"credibility":2,"name":"Fake LinkedIn Recruiter Malware Scam (Trifleck) | Cyber Secify","type":"research","url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"credibility":2,"name":"$17 billion lost to crypto scams in 2025. The fake job interview is the new front line. | Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/web3-job-scams-fake-interview/"},{"credibility":1,"name":"Contagious Interview: Malware delivered through fake developer job interviews | Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/"},{"credibility":1,"name":"Dissecting Sapphire Sleet's macOS intrusion from lure to compromise | Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"},{"credibility":2,"name":"Crypto Developers Targeted by U.S. Registered North Korean Firms | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2025/04/25/north-korean-hackers-targeting-crypto-developers-with-u-s-shell-firms"},{"credibility":2,"name":"CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto | BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/coinspaid-blames-lazarus-hackers-for-theft-of-37-300-000-in-crypto/"},{"credibility":1,"name":"US Officials Tie North Korea's 'Lazarus' Hackers to $625M Ronin Exploit | CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation | The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Lazarus Group Slips Through US Business Systems With Fake LLCs To Spread Malware | CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/lazarus-group-malware-fake-llc-us/"},{"credibility":2,"name":"FBI shuts down crypto fraud site linked to Lazarus Group | Coin Journal","type":"news_article","url":"https://coinjournal.net/news/fbi-seizes-crypto-scam-domain-tied-to-north-koreas-lazarus-group/"},{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems | The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"},{"credibility":2,"name":"Drift Protocol exploit linked to Bybit hack | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/drift-protocol-exploit-linked-to-bybit-hack/"}],"summary":"Trifleck is a shell company with no verifiable business registration used as a front in an active LinkedIn-based malware campaign targeting crypto and Web3 developers, first publicly disclosed in May 2026. The campaign delivers a malicious 'pre-interview code review' ZIP file containing infostealers after recruiters posing as Trifleck employees contact developers with frontend job offers. The attack pattern, infrastructure, and malware families are consistent with tactics attributed by Microsoft, Mandiant, Palo Alto Unit 42, and the FBI to DPRK-aligned threat actors operating under the cluster known as Contagious Interview.","timeline":[{"date":"2022-03-23","event":"Ronin Bridge drained of approximately $620 million by Lazarus Group via spear-phishing initial access, establishing the scale of damage possible from fake-recruiter playbooks.","source":"CoinDesk / FBI attribution","source_url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"date":"2022-12-01","event":"Contagious Interview cluster first documented as continuously active, per Microsoft Threat Intelligence.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/"},{"date":"2023-07-22","event":"CoinsPaid loses $37.3 million in a Lazarus-attributed attack that began with a fake job offer and malicious interview task delivered to an employee.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/coinspaid-blames-lazarus-hackers-for-theft-of-37-300-000-in-crypto/"},{"date":"2025-04-25","event":"FBI seizes Blocknovas LLC domain; CoinDesk reports North Korean hackers created at least two fake U.S.-registered shell companies (Blocknovas LLC, Softglide LLC) to distribute malware via fake developer job interviews.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2025/04/25/north-korean-hackers-targeting-crypto-developers-with-u-s-shell-firms"},{"date":"2025-05-21","event":"trifleck.com and fleckpublisher.com domains registered within 3 hours 10 minutes of each other via Namecheap, using Icelandic WHOIS privacy proxy.","source":"Cyber Secify investigation","source_url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"date":"2026-03-11","event":"Microsoft publishes detailed technical analysis of the Contagious Interview malware cluster, documenting OtterCookie, BeaverTail, InvisibleFerret, and FlexibleFerret payloads and the npm lifecycle hook delivery method.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/"},{"date":"2026-04-01","event":"Drift Protocol exploited for approximately $285–286 million following a multi-month DPRK social engineering operation; attributed with medium confidence to North Korean state actors by Elliptic and TRM Labs.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-04-16","event":"Microsoft publishes macOS-specific analysis of Sapphire Sleet intrusion chain using fake Zoom SDK updates, documenting theft of crypto wallet keys, SSH keys, and macOS keychain data.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"},{"date":"2026-05-06","event":"Anil N, a senior frontend engineer in Bengaluru, receives a LinkedIn connection request and direct message from 'John Burleson', claiming to be COO at Trifleck, offering a $50–$100/h frontend role.","source":"Cyber Secify","source_url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"date":"2026-05-18","event":"Cyber Secify publishes first public disclosure of the Trifleck shell company and the Blockstar.zip malware delivery campaign, identifying four shell fronts sharing common infrastructure.","source":"Cyber Secify","source_url":"https://cybersecify.com/blog/fake-recruiter-blockstar-trifleck-malware-india-2026/"},{"date":"2026-05-26","event":"Crypto Times publishes broader analysis of the Web3 fake job interview threat landscape, reporting $17 billion in global crypto scam losses for 2025 and a 1,400% year-over-year rise in impersonation attacks.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/26/web3-job-scams-fake-interview/"}]},"v":1}