The notorious North Korean hacking group, Lazarus, has found a new way to target vulnerable users and steal their assets. According to SlowMist, a blockchain security analytics firm, Lazarus is using LinkedIn to pose as blockchain developers in the cryptocurrency industry in order to deceive victims. The hackers invite access to their repository and run code snippets, which contain malicious code that steals confidential information and assets.
This is not the first time Lazarus has used LinkedIn for targeted attacks. In December 2023, they posed as a fake Meta recruiter and requested victims to download coding challenges as part of a hiring procedure. These coding files contained malware that released a Trojan, allowing remote access to the victim’s work computer.
Lazarus has a notorious history of stealing crypto assets, having stolen over $3 billion so far. Despite facing sanctions, the group continues to target crypto firms. In a previous incident, they used fake job interviews to steal $37 million from a crypto payment firm called CoinPaid.
The 2022 Ronin Bridge hack was one of Lazarus’ biggest heists, resulting in the theft of $625 million. To launder their stolen funds back to North Korea, the group often uses crypto mixing services, which are then used to fund the country’s military operations.
While crypto firms are frequently targeted by hacker groups, the decentralized nature of blockchain makes it challenging for them to move their funds. Cryptocurrency platforms often track and block identified hackers. For example, in February 2023, Huobi and Binance froze $1.4 million worth of crypto assets linked to North Korea, and $63 million worth of assets related to the Harmony Bridge hack were also frozen by crypto exchanges.