Lazarus Group hackers target crypto investors via LinkedIn

North Korean hackers from the Lazarus Group are conducting a large-scale campaign using fraudulent job postings on LinkedIn. They steal job seekers’ browser credentials, hack cryptocurrency wallets, and establish persistent access to infected devices.

According to BitDefender Labs, the attackers reach out to victims with fake job offers via LinkedIn, tricking them into downloading and executing a malicious JavaScript stealer from a remote server.

"Our researchers discovered that the malware is a cross-platform stealer capable of running on Windows, macOS, and Linux," BitDefender stated in a blog post.

The malware is designed to target popular cryptocurrency wallets by tracking specific browser extensions associated with crypto assets.

An analysis of the malware and attack methods allowed researchers to link the campaign to North Korean hackers, specifically APT38, which has previously used similar tactics, including fake job listings and fraudulent job applications.

How the scam works

The fraudulent scheme begins with an enticing job offer on LinkedIn—collaborating on the development of a decentralized cryptocurrency exchange. Once the victim expresses interest, they are asked to provide a resume or GitHub link, which in itself can be exploited for fraudulent purposes. The attackers then share a repository containing a "minimum viable product" (MVP) of a fake crypto project.

Victims are also sent a document with questions that can only be answered by running the demo code from the repository. This action triggers the installation of malware, leading to device infection.

LinkedIn and Reddit users have already reported similar attacks where hackers asked them to clone a malicious repository or fix bugs in its code. BitDefender warns about key red flags, such as vague job descriptions, suspicious repositories, and poor communication, to help users avoid falling victim to these scams.

Meanwhile, North Korean hackers continue to attack cryptocurrency exchanges, while the U.S. and its allies are taking countermeasures.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.