#North Korean hackers target Web3 developers#
Hot Topic Overview
Overview
The Lazarus Group, a North Korean hacking group, has launched a cyberattack dubbed "Operation 99" targeting Web3 and cryptocurrency software developers. The attackers, posing as recruiters, lure developers on platforms like LinkedIn into participating in disguised project testing and code reviews. They then trick them into cloning a GitLab repository containing malicious code, thus implanting modular malware into the victims' systems. This malware can steal high-value data such as passwords, API keys, and cryptocurrency wallet information, and maintains connections through highly obfuscated command-and-control (C2) servers to maximize the concealment of their actions.
Ace Hot Topic Analysis
Analysis
The North Korean hacking group Lazarus Group launched a cyberattack dubbed "Operation 99" targeting Web3 and cryptocurrency software developers. The attackers impersonated recruiters, posting fake job listings on platforms like LinkedIn to lure developers into participating in seemingly legitimate project testing and code review. Once victims take the bait, they are directed to clone a malicious GitLab repository that appears benign but actually contains malicious code. Cloning the code connects to a command and control (C2) server, embedding malware into the victim's environment to control their computer. These malware are cross-platform compatible, capable of stealing high-value data such as passwords, API keys, cryptocurrency wallet information, and maintaining a connection through highly obfuscated C2 servers to minimize their exposure. SlowMist CISO 23pds urges developers to exercise caution, not trust job offers from strangers, and thoroughly examine the source of any code repository to avoid infection by malicious code.