North Korean Hackers Target Crypto Developers with Fake Recruitment Tests

North Korean Hackers Target Crypto Developers with Fake Recruitment Tests

North Korean hackers linked to the $1.4 billion Bybit exploit have been targeting crypto developers using fake recruitment tests infected with malware, according to cybersecurity experts.

The malicious actors, known as Slow Pisces or Jade Sleet, Pukchong, TraderTraitor and UNC4899, are reportedly approaching crypto developers on LinkedIn and convincing them about fraudulent career opportunities. Once they have won over the developer, the hackers send a malicious document containing the details of a coding challenge on GitHub.

If opened, the file installs stealer malware capable of compromising the victim's system. Cybersecurity professionals warn that these actors often want to steal developer credentials and access codes.

"These actors look for cloud configurations, SSH keys, iCloud Keychain, system and app metadata, and wallet access," said Hakan Unal, senior security operations center lead at security firm Cyvers. "They also try to access API keys or production infrastructure."

Luis Lubeck, service project manager at security firm Hacken, added that the main platform used by these malicious actors is LinkedIn. However, they also use freelance marketplaces like Upwork and Fiverr to target unsuspecting developers.

"Threat actors pose as clients or hiring managers offering well-paid contracts or tests, particularly in the DeFi or security space, which feels credible to devs," Lubeck said. "They create 'credible-looking' employee profiles on professional networking websites and match them with resumes that reflect their fake positions."

The hackers ultimately aim to gain access to the Web3 company that employs their targeted developer, where they can identify vulnerabilities and lead to exploits.

"After gaining access to the company, the hackers identify vulnerabilities, which ultimately can lead to exploits," said Hayato Shigekawa, principal solutions architect at Chainalysis. "This makes developer education and operational hygiene just as important as code audits or smart contract protections."

Cybersecurity researcher Yehor Rudytsia noted that attackers are becoming more creative, imitating bad traders to clean funds and utilizing psychological and technical attack vectors to exploit security gaps.

"This makes developer education and operational hygiene just as important as code audits or smart contract protections," Rudytsia said. "Attackers are becoming more sophisticated, and it's crucial for developers to be aware of these tactics."

Unal recommended that crypto developers use virtual machines and sandboxes for testing, verify job offers independently, and not run code from strangers.

"Some of the best practices developers can adapt to avoid falling victim to such attacks include using virtual machines and sandboxes for testing," Unal said. "Verify job offers independently and do not install unverified packages."

Lubeck suggested reaching out to official channels to verify recruiter identities and avoiding storing secrets in plain text format.

"Be extra cautious with 'too-good-to-be-true' gigs, especially unsolicited ones," Lubeck added. "Reaching out to official channels to verify recruiter identities is crucial."