#North Korean hackers target Web3 developers#
Hot Topic Overview
Overview
The Lazarus Group, a North Korean hacking group, is targeting Web3 and cryptocurrency developers with a cyberattack dubbed “Operation 99.” The attackers are posing as recruiters, enticing developers through platforms like LinkedIn to participate in fake project testing and code reviews. They then trick the developers into cloning a GitLab repository containing malicious code, injecting modular malware into their systems. This malware is cross-platform adaptable, capable of stealing high-value data like passwords, API keys, cryptocurrency wallet information, and maintaining a connection through highly obfuscated command-and-control (C2) servers to minimize their activity.
Ace Hot Topic Analysis
Analysis
The Lazarus Group, a North Korean hacking group, is targeting Web3 and cryptocurrency developers with a cyberattack campaign dubbed "Operation 99." The attackers are posing as recruiters, posting fake job listings on platforms like LinkedIn, using project testing and code review as bait to entice developers. Once a victim bites, they are directed to clone a malicious GitLab repository that appears harmless but actually contains malicious code. The cloned code connects to a command and control (C2) server, embedding malware into the victim's environment, giving the attackers control of the victim's computer. This malware is cross-platform adaptable, stealing high-value data such as passwords, API keys, cryptocurrency wallet information, and maintaining connection through highly obfuscated C2 servers to maximize stealth. Slowmist CISO 23pds reminds Web3 developers to be vigilant, not to trust unsolicited job postings, and to carefully examine code sources, avoiding cloning malicious code repositories.