North Korean hackers use new scam method against crypto developers
North Korean hackers target crypto developers with fake job offers and malware.
North Korean cybercriminals have reportedly launched a sophisticated new campaign aimed at compromising crypto developers through fraudulent job offers and malware-laced coding challenges.
The campaign is linked to the hacking group Slow Pisces—also known as Jade Sleet or TraderTraitor—which is suspected of orchestrating the recent $1.4 billion Bybit exploit, reports Cointelegraph.
According to a report by The Hacker News, attackers are posing as recruiters on LinkedIn, enticing developers with lucrative career opportunities. Once contact is made, victims are sent fake coding tests hosted on GitHub. Opening these documents triggers the installation of stealer malware designed to access developer credentials, SSH keys, API tokens, and wallet data.
Experts warn the goal is to breach the developer’s employer, identify infrastructure vulnerabilities, and ultimately execute large-scale crypto heists.
Security experts urge caution and operational hygiene
Hakan Unal, senior SOC lead at Cyvers, told that the hackers are interested in compromising cloud services, extracting iCloud Keychains, and breaching wallets. Hacken’s Luis Lubeck added that attackers also use freelance platforms like Upwork and Fiverr to reach victims, often posing as clients hiring for DeFi or Web3 security roles.
“These actors are creating entire false identities, including resumes and professional profiles, to trick developers,” said Hayato Shigekawa of Chainalysis. Once inside a company’s network, the group looks for exploitable vulnerabilities to execute damaging attacks.
Lubeck and other experts recommend that developers remain skeptical of unsolicited gigs, particularly those that offer unusually high compensation. Developers should verify recruiter identities through official company channels, avoid running unknown code, and use sandbox environments for testing. Additional tips include refraining from storing secrets in plain text and adopting strong endpoint protection.
As attackers become more technically and psychologically sophisticated, Yehor Rudytsia of Hacken stressed the importance of “operational hygiene,” noting that education and secure practices are as vital as smart contract audits.
This latest wave of attacks highlights the continued cybersecurity challenges facing the crypto industry and the growing role of state-backed actors in exploiting Web3’s vulnerabilities.
Recently we wrote that the Lazarus Group has infected hundreds of software developers, deploying malware via npm packages to steal credentials, extract crypto wallet data, and install a persistent backdoor.
