North Korean Hackers Target Cryptocurrency Developers With Malware

North Korean hackers, linked to the $1.4 billion Bybit exploit, have been targeting cryptocurrency developers through fake recruitment tests. These tests, which are infected with malware, are used to deliver stealer malware to unsuspecting developers. The hackers approach developers on professional networking platforms, posing as recruiters offering fraudulent career opportunities. Once the developer is convinced, they are sent a malicious document containing a coding challenge on GitHub. Opening this file installs the malware, compromising the victim’s system.

The scam is reportedly run by a North Korean hacking group known by various names, including Slow Pisces, Jade Sleet, Pukchong, TraderTraitor, and UNC4899. These hackers often target developer credentials and access codes, looking for cloud configurations, SSH keys, iCloud Keychain, system and app metadata, and wallet access. They also attempt to access API keys or production infrastructure. The main platform used by these malicious actors is LinkedIn, but they have also been observed using freelance marketplaces like Upwork and Fiverr. The hackers create credible-looking employee profiles on professional networking websites, matching them with resumes that reflect their fake positions. This effort is aimed at gaining access to the Web3 company that employs their targeted developer, ultimately identifying vulnerabilities that can lead to exploits.

Cybersecurity professionals warn that attackers are becoming more creative, utilizing psychological and technical attack vectors to exploit security gaps. This makes developer education and operational hygiene just as important as code audits or smart contract protections. Best practices for developers to avoid falling victim to such attacks include using virtual machines and sandboxes for testing, verifying job offers independently, and not running code from strangers. Additionally, developers should avoid installing unverified packages and use good endpoint protection. It is also recommended to reach out to official channels to verify recruiter identities and avoid storing secrets in plain text format. Developers should be extra cautious with ‘too-good-to-be-true’ gigs, especially unsolicited ones.

This tactic by North Korean hackers highlights the importance of vigilance and security awareness among cryptocurrency developers. It is crucial for developers to verify the legitimacy of recruitment offers and to be cautious of any suspicious activities. Companies in the cryptocurrency industry should implement robust security measures to protect against such attacks, including regular security audits and employee training on cybersecurity best practices. The targeting of cryptocurrency developers by North Korean hackers underscores the need for increased collaboration between the industry and law enforcement agencies. By sharing information and resources, the industry can better defend against these sophisticated attacks and protect the integrity of the cryptocurrency ecosystem.