Trifleck
Summary
Trifleck is a shell company with no verifiable business registration used as a front in an active LinkedIn-based malware campaign targeting crypto and Web3 developers, first publicly disclosed in May 2026. The campaign delivers a malicious 'pre-interview code review' ZIP file containing infostealers after recruiters posing as Trifleck employees contact developers with frontend job offers. The attack pattern, infrastructure, and malware families are consistent with tactics attributed by Microsoft, Mandiant, Palo Alto Unit 42, and the FBI to DPRK-aligned threat actors operating under the cluster known as Contagious Interview.
Connected Entities
1 entities · 10 linked investigations- + 1 more
Timeline(11 events)
2022-03-23
Ronin Bridge drained of approximately $620 million by Lazarus Group via spear-phishing initial access, establishing the scale of damage possible from fake-recruiter playbooks.
CoinDesk / FBI attribution2022-12-01
Contagious Interview cluster first documented as continuously active, per Microsoft Threat Intelligence.
Microsoft Security Blog2023-07-22
CoinsPaid loses $37.3 million in a Lazarus-attributed attack that began with a fake job offer and malicious interview task delivered to an employee.
BleepingComputer2025-04-25
FBI seizes Blocknovas LLC domain; CoinDesk reports North Korean hackers created at least two fake U.S.-registered shell companies (Blocknovas LLC, Softglide LLC) to distribute malware via fake developer job interviews.
CoinDesk2025-05-21
trifleck.com and fleckpublisher.com domains registered within 3 hours 10 minutes of each other via Namecheap, using Icelandic WHOIS privacy proxy.
Cyber Secify investigation2026-03-11
Microsoft publishes detailed technical analysis of the Contagious Interview malware cluster, documenting OtterCookie, BeaverTail, InvisibleFerret, and FlexibleFerret payloads and the npm lifecycle hook delivery method.
Microsoft Security Blog2026-04-01
Drift Protocol exploited for approximately $285–286 million following a multi-month DPRK social engineering operation; attributed with medium confidence to North Korean state actors by Elliptic and TRM Labs.
The Hacker News2026-04-16
Microsoft publishes macOS-specific analysis of Sapphire Sleet intrusion chain using fake Zoom SDK updates, documenting theft of crypto wallet keys, SSH keys, and macOS keychain data.
Microsoft Security Blog2026-05-06
Anil N, a senior frontend engineer in Bengaluru, receives a LinkedIn connection request and direct message from 'John Burleson', claiming to be COO at Trifleck, offering a $50–$100/h frontend role.
Cyber Secify2026-05-18
Cyber Secify publishes first public disclosure of the Trifleck shell company and the Blockstar.zip malware delivery campaign, identifying four shell fronts sharing common infrastructure.
Cyber Secify2026-05-26
Crypto Times publishes broader analysis of the Web3 fake job interview threat landscape, reporting $17 billion in global crypto scam losses for 2025 and a 1,400% year-over-year rise in impersonation attacks.
Crypto TimesDecision Log
- hash: DVYer123EaGVZVq5PVcKHPjersZvFC5Mxj8mcD3RWMMP
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/28/2026, 1:44:01 AM
last updated: 5/28/2026, 1:44:13 AM
avoid.net — verified advice for a post-truth world