North Korean hackers steal cryptocurrency from freelancers, including Ukrainians
26 February 12:56
North Korean hackers have targeted freelance developers under the guise of recruiters. Ukrainian IT media dev.ua writes about this with reference to a study by ESET, informs
In 2024, freelancers from the United States, Canada, and some European countries suffered the most from malicious activity called Deceptive Development.
What actions do the attackers take?
Hackers pose as recruiters on social media to target freelance developers, especially those working in cryptocurrency projects. The main goal of the attacks is to steal cryptocurrency, probably to increase North Korea’s profits.
Attackers copy or create recruiter images and contact developers through job search platforms such as LinkedIn, Upwork and Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List, offering them employment opportunities if they pass a coding test.
The test files are hosted in private repositories on GitHub or a similar platform, and when they are downloaded, the BeaverTail malware is deployed.
Hackers often copy entire projects without making any changes other than adding their malware and rewriting the README file. Usually, hackers try to hide the malicious code somewhere in the project so that it doesn’t raise suspicion or is easily visible, for example, in internal code as a single line behind a comment that pushes it off-screen.
BeaverTail attacks browser databases to steal credentials and also downloads the second stage of the campaign, InvisibleFerret, which acts as a backdoor that allows the attacker to install AnyDesk remote control software for additional activities after the compromise.
Windows, Mac, and Linux users around the world are affected by the attack. Both young and experienced developers were targeted.
“We have only observed conversations between the attackers and victims in English, but we cannot say with certainty that they will not use translation tools to communicate with victims in other languages,” ESET researchers said.
Another method of infection they observed was that the fake recruiter would invite the victim to an interview using an online conferencing platform and provide a link to a website where the necessary conferencing software could be downloaded. This website is usually a clone of an existing conferencing platform, and the downloaded software contains the first stage of the malware.
As reported by
In late January, it became known about hackers’ attacks using outdated versions of WordPress and plugins to change the content of websites and force visitors to download malware.
And Google’s Threat Intelligence Group reports that the APT44 hacker group (also known as Sandworm) and other hackers with ties to Russia have invented new ways to spy on Signal accounts used by the Ukrainian military and government. As reported by
