North Korea’s Lazarus Group has launched a new cyber attack campaign called Operation 99, targeting software developers in the Web3 and cryptocurrency sectors. This scheme involves fake recruiters on platforms like LinkedIn, enticing developers with seemingly legitimate projects that lead them to harmful GitLab repositories. Once cloned, these repositories contain malware that connects to command-and-control servers, allowing the attackers to steal sensitive information, including source code and cryptocurrency wallet keys. Victims have been identified globally, primarily in Italy, with others in various countries. This campaign reflects the Lazarus Group’s ongoing efforts to exploit the booming cryptocurrency Market for financial gain.
The Lazarus Group, a notorious hacking collective linked to North Korea, has launched a new campaign known as Operation 99. This attack specifically targets software developers interested in Web3 and cryptocurrency jobs, aiming to spread malware.
The operation begins with fake recruiters on professional networking sites like LinkedIn. They lure unsuspecting developers with offers of project tests and code reviews. According to Ryan Sherstobitoff from SecurityScorecard, once a victim engages, they are directed to a fake GitLab repository that appears harmless but is actually designed to infect their systems.
Recent reports have shown a wide spread of these attacks, particularly in Italy, but victims have also been identified in countries like Brazil, France, Germany, and the U.S.
This campaign builds on previous tactics used by the Lazarus Group, adapting their job-themed operations to specifically target the growing fields of Web3 and cryptocurrency. What makes Operation 99 particularly insidious is its method of using fraudulent LinkedIn profiles to direct potential victims to malicious repositories.
The malware that gets deployed is designed to extract sensitive information, including source code and cryptocurrency wallet keys. This can lead to major financial losses for individuals and companies alike.
- One type of malware, Main5346, serves as a downloader for additional harmful payloads.
- Another variant steals data from web browsers to capture user credentials.
- A third component monitors keyboard and clipboard activity in real-time, further compromising sensitive information.
SecurityScorecard noted that by gaining access to developer accounts, hackers can not only steal intellectual property but also cryptocurrency wallets. This raises significant concerns as private keys are targeted, potentially resulting in the loss of millions in digital assets.
The module-based design of the malware makes it versatile and capable of operating across different platforms such as Windows, macOS, and Linux. This highlights the evolving nature of cyber threats in today’s world.
As Sherstobitoff states, for North Korea, hacking has become a crucial source of revenue. With the explosion of Web3 and cryptocurrency markets, Operation 99 focuses on these high-growth areas to achieve its financial goals.
What is Operation 99?
Operation 99 is a campaign by the Lazarus Group aimed at targeting Web3 developers. They use fake LinkedIn profiles to trick these developers into sharing sensitive information or downloading malicious software.
Who is the Lazarus Group?
The Lazarus Group is a known cybercrime organization linked to North Korea. They are notorious for hacking and cyber attacks, and they often target financial institutions, corporations, and, more recently, Web3 developers.
How do the fake LinkedIn profiles work?
The fake LinkedIn profiles look like real professionals in the Web3 industry. They connect with developers to engage them in conversations. The goal is to build trust and get the developers to either click on harmful links or give away important information.
What should Web3 developers do to stay safe?
Web3 developers should be careful about whom they connect with online. They should verify profiles before engaging and avoid sharing sensitive information. It’s also wise to use security software and stay informed about the latest scams and attacks.
What are the signs of a fake LinkedIn profile?
Some signs of a fake LinkedIn profile include:
– Poor or generic profile pictures
– Limited connections or endorsements
– Strange job titles or work history
– Unusual activity or messages that seem too good to be true
Being aware of these signs can help developers avoid falling for scams from groups like Lazarus.