Cybercriminals linked to North Korea’s Lazarus Group have launched a deceptive LinkedIn scam targeting professionals in the cryptocurrency and technology sectors. Masquerading as recruiters, they offer fake job opportunities to trick victims into downloading malware that steals credentials, financial information, and digital assets.
Bitdefender researchers uncovered the scheme after the hackers mistakenly sent a fraudulent job offer to one of their own cybersecurity experts, allowing the company to analyze the attack’s multi-stage infection chain.
The malware, engineered to run on Windows, macOS, and Linux, can steal stored browser credentials, hijack cryptocurrency transactions, and maintain long-term system access.
While phishing attacks on job seekers are not new, this campaign highlights a growing trend in cybercrime: the use of professional networking platforms as attack vectors. It also connects to a broader pattern of previous Lazarus operations.
A Fake Job Offer Leading to Full-System Compromise
The attack begins with a seemingly ordinary LinkedIn recruiter message offering a role in a crypto startup or financial technology firm. Once the victim expresses interest, the attacker requests a resume or a link to the candidate’s GitHub profile.
After establishing credibility, the recruiter provides a link to a GitHub repository containing what is described as a “minimum viable product” (MVP) of the company’s project.
Running the project triggers the execution of malicious JavaScript code, deploying an info-stealer that extracts saved browser credentials, session cookies, and cryptocurrency wallet data.
According to Bitdefender’s report, “this info-stealer is engineered to target a range of popular cryptocurrency wallets by looking up for the crypto-related browsing extensions.” The malware then transmits this data to an attacker-controlled server, enabling further exploitation.
LinkedIn users and developers on Reddit have reported similar scams where recruiters push victims to clone repositories or run “demo applications” that deliver hidden payloads. These tactics mirror other Lazarus Group recruitment scams, such as their efforts to impersonate aerospace and defense industry recruiters in previous cyber espionage operations.
How the Malware Gains Persistent Access
The infection does not stop at initial credential theft. The JavaScript-based malware executes a secondary Python script, main99_65.py, which deploys multiple malicious modules. These include:
– mlip.py: Monitors clipboard activity and replaces copied cryptocurrency addresses with attacker-controlled wallet addresses.
– pay.py: Scans the system for financial documents, environment variables, and private keys before exfiltrating them to a command-and-control (C2) server.
– bow.py: Extracts saved passwords, payment information, and autofill data from popular browsers such as Chrome, Brave, and Edge.
To ensure long-term persistence, a separate .NET-based payload disables Microsoft Defender, alters security settings, and establishes an encrypted C2 communication channel.
The technical complexity of this attack resembles Lazarus Group’s previous exploits, where they used Windows zero-day vulnerabilities to disable security tools and maintain covert access to enterprise systems.
LinkedIn and GitHub: Cybercriminals’ New Hunting Grounds
Social engineering attacks targeting professionals on LinkedIn have been increasing, as cybercriminals recognize that job seekers are more likely to open links and execute code from trusted sources. Lazarus Group, in particular, has repeatedly exploited professional networking platforms to conduct corporate espionage and financial fraud.
The group was previously linked to attacks on cryptocurrency firms through another North Korean-affiliated hacking unit, BlueNoroff. In that campaign, hackers tricked financial professionals into opening malicious documents disguised as investment reports.
Lazarus has also leveraged GitHub as a malware distribution vector. By hosting their malicious payloads on GitHub repositories, attackers bypass traditional email-based phishing detection systems. This method allows them to distribute malware through platforms that software engineers inherently trust.
The increasing reliance on cloud-based collaboration tools has made these platforms particularly vulnerable. In 2022, security researchers uncovered a separate Lazarus campaign where Windows Update was used to deliver malware, further demonstrating the group’s ability to exploit legitimate systems for nefarious purposes.
Why Lazarus Group Keeps Targeting Crypto and Finance
The targeting of cryptocurrency developers and financial analysts is not random. North Korea has relied on state-sponsored hacking to circumvent international sanctions and generate illicit revenue. Lazarus Group’s operations are estimated to have stolen billions of dollars in cryptocurrency, with one of the most high-profile cases being the $617 million Ronin Bridge hack in 2022.
Beyond financial theft, the group’s tactics align with broader espionage efforts. Reports have suggested that Lazarus Group has also been involved in targeting defense, nuclear, and aerospace firms, using recruitment scams similar to the LinkedIn attacks seen in the cryptocurrency sector.
These activities have not gone unnoticed by global authorities. The U.S. Treasury Department has repeatedly sanctioned entities linked to Lazarus Group, stating that their cyber operations directly finance North Korea’s weapons programs.
In March 2020, two Chinese nationals were sanctioned for laundering cryptocurrency stolen by the Lazarus Group. Virtual currency mixer Blender.io was sanctioned for its role in processing funds stolen by the North Korean hackers. Tornado Cash, another cryptocurrency mixer, was sanctioned for laundering over $455 million stolen by the Lazarus Group. And most recently, in November 2023, the Treasury sanctioned Sinbad.io, another crypto currency mixer that processed millions of dollars from Lazarus Group heists.
Protecting Against Recruitment-Based Cyber Threats
As job seekers increasingly rely on online networking for career opportunities, vigilance is essential to avoid falling victim to LinkedIn-based cyberattacks.
Bitdefender’s researchers recommend verifying job offers through official company websites rather than relying solely on LinkedIn profiles. If a recruiter provides a GitHub repository or a software demo, it should be examined in a sandboxed environment or run on a virtual machine before execution.
Organizations should also educate employees on how to spot social engineering tactics. Many companies now enforce policies against executing code from unverified sources, especially within the software development and finance sectors.
AI-generated recruiter profiles have further complicated the fight against cyber fraud. Some attackers use deepfake-generated headshots and fabricated work histories to build credibility. With social validation mechanisms like endorsements and mutual connections, fraudulent profiles can appear highly convincing, making it harder to distinguish real recruiters from cybercriminals.
How Cybersecurity Is Responding to Social Engineering Attacks
Major technology firms have begun responding to the growing trend of social engineering-based attacks. Microsoft and Google have been expanding AI-driven security mechanisms to detect fraudulent accounts and phishing attempts. However, the adaptability of cybercriminals remains a challenge.
While Lazarus Group continues to evolve its cyber operations, professionals in cryptocurrency, finance, and technology must adopt a more cautious approach to online networking. With billions in stolen assets and ongoing espionage activities, it is clear that cybercriminals are no longer just targeting corporations—they are targeting individuals, too.
