North Korean hackers target crypto devs with fake recruitment tests

North Korean hackers linked to the $1.4 billion Bybit exploit are reportedly targeting crypto developers using fake recruitment tests infected with malware. 

Cybersecurity outlet The Hacker News reported that crypto developers have received coding assignments from malicious actors posing as recruiters. The coding challenges have reportedly been used to deliver malware to unsuspecting developers.

Malicious actors approach crypto developers on LinkedIn and tell them about fraudulent career opportunities. Once they convince the developer, the hackers send a malicious document containing the details of a coding challenge on GitHub. If opened, the file installs stealer malware capable of compromising the victim’s system.

The scam is reportedly run by a North Korean hacking group known as Slow Pisces, also referred to as Jade Sleet, Pukchong, TraderTraitor and UNC4899. 

Hakan Unal, senior security operations center lead at security firm Cyvers, told Cointelegraph that the hackers often want to steal developer credentials and access codes. He said these actors often look for cloud configurations, SSH keys, iCloud Keychain, system and app metadata, and wallet access. 

Luis Lubeck, service project manager at security firm Hacken, told Cointelegraph that they also try to access API keys or production infrastructure. 

Lubeck said that the main platform used by these malicious actors is LinkedIn. However, the Hacken team observed hackers using freelance marketplaces like Upwork and Fiverr as well.

“Threat actors pose as clients or hiring managers offering well-paid contracts or tests, particularly in the DeFi or security space, which feels credible to devs,” Lubeck added. 

Hayato Shigekawa, principal solutions architect at Chainalysis, told Cointelegraph that the hackers often create “credible-looking” employee profiles on professional networking websites and match them with resumes that reflect their fake positions. 

They make all this effort to ultimately gain access to the Web3 company that employs their targeted developer. “After gaining access to the company, the hackers identify vulnerabilities, which ultimately can lead to exploits,” Shigekawa added. 

Related: Ethical hacker intercepts $2.6M in Morpho Labs exploit

Hacken’s onchain security researcher Yehor Rudytsia noted that attackers are becoming more creative, imitating bad traders to clean funds and utilizing psychological and technical attack vectors to exploit security gaps. 

“This makes developer education and operational hygiene just as important as code audits or smart contract protections,” Rudytsia told Cointelegraph. 

Unal told Cointelegraph that some of the best practices developers can adapt to avoid falling victim to such attacks include using virtual machines and sandboxes for testing, verifying job offers independently and not running code from strangers. 

The security professional added that crypto developers must avoid installing unverified packages and use good endpoint protection. 

Meanwhile, Lubeck recommended reaching out to official channels to verify recruiter identities. He also suggested avoiding storing secrets in plain text format.

“Be extra cautious with ‘too-good-to-be-true’ gigs, especially unsolicited ones,” Lubeck added. 

Magazine: Your AI ‘digital twin’ can take meetings and comfort your loved ones