Back

North Korean Phishing Campaign Targets Developers to Steal Cryptocurrency

Severity: High (Score: 75.5)

Sources: Infosecurity-Magazine, www.veracode.com, blog.denv.it, Proofpoint, Theregister

Published: 2026-06-08 · Updated: 2026-06-09

Keywords: developers, steal, cryptocurrency, north, korean, fake, threat

Summary

A new phishing campaign, tracked as UNK_DeadDrop, has targeted developers at nearly 100 organizations, primarily in the US, over six weeks in April and May 2026. The attackers sent over 250 emails disguised as job offers for developer roles, linking to malicious GitHub repositories. These repositories contained scripts that executed malware upon opening in code editors like VS Code or Cursor, aiming to steal cryptocurrency wallets and credentials. The malware is designed to operate across multiple platforms, including macOS, Linux, and Windows. This campaign is distinct from previous North Korean operations, showcasing a shift in tactics from fake interviews to unsolicited job offers. The activity has been confirmed by Proofpoint and reported by various cybersecurity sources. GitLab has since removed the malicious repository after being notified by a targeted individual. Key Points: • UNK_DeadDrop campaign sent over 250 phishing emails targeting developers. • Malicious GitHub repositories contained scripts to steal cryptocurrency and credentials. • The campaign marks a shift in tactics from fake interviews to unsolicited job offers.

Detailed Analysis

**Impact** Over 250 phishing emails targeted nearly 100 organizations worldwide, primarily in the US, across technology, education, business services, and financial sectors, with a focus on cryptocurrency firms. The campaign aimed to steal developer credentials, API tokens, and cryptocurrency wallets, including browser extensions (MetaMask, Phantom, Keplr) and desktop wallets (Exodus, Electrum, Ledger Live). The operational consequences include unauthorized access to sensitive developer assets and potential financial theft from compromised wallets. **Technical Details** The attack vector is phishing emails containing links to attacker-controlled GitHub or GitLab repositories disguised as coding assignments, job offers, or code review requests. Opening the repository in VS Code or Cursor triggers a hidden tasks.json file that installs a malicious VS Code extension (VSIX) masquerading as a Google service. Payloads deploy cross-platform malware: a Go-based remote access trojan on macOS/Linux and JavaScript-based malware on Windows, designed to exfiltrate credentials and cryptocurrency data. The malware uses a fake password prompt to escalate privileges and bypasses Chrome app-bound encryption on Windows. Infrastructure includes multiple GitHub accounts and attacker-owned sender domains spoofing legitimate companies. No CVEs exploited were reported. The cluster is tracked as UNK_DeadDrop and is distinct from but similar to previous DPRK-linked campaigns like Contagious Interview. **Recommended Response** Block and monitor emails from attacker-owned domains and suspicious GitHub/GitLab repositories linked to the campaign. Deploy detections for malicious VSIX extensions and monitor for unusual VS Code or Cursor activity, including unexpected task executions. Harden endpoint security by restricting execution of scripts triggered by editor folder opens and enforce multi-factor authentication on developer accounts. Report suspicious emails and repositories to platform abuse teams and national cybersecurity centers. No specific patches are noted; focus on detection and containment.

Source articles (5)

  • I Was Likely Targeted By Dprk In A Sophisticated Developer Malware Campaign — blog.denv.it · 2026-06-08
    On May 25th, 2026, I received a remote smart-contract-security recruiting email from “Olivia Ben” at “Pulsynk.” It asked me to clone a GitLab repository called rekt-db and open it in VS Code or Cursor…
  • North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity-Magazine · 2026-06-08
    A likely North Korean threat actor has phished software developers at almost 100 organizations with fake job and code-review lures to steal cryptocurrency and credentials. According to new analysis fr…
  • Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint · 2026-06-08
    Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers usi…
  • Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto — Theregister · 2026-06-08
    There's another likely North Korean-linked scam hitting developers and their employers, while snarfing up credentials and cryptocurrency - and this one doesn't even involve embedding IT workers at hig…
  • Sophisticated Ongoing Attack Discovered On Npm — www.veracode.com · 2026-06-08

Timeline

  • 2026-04-01 — UNK_DeadDrop campaign begins: North Korean-aligned threat actors start sending phishing emails to developers, targeting organizations in various sectors.
  • 2026-05-25 — Targeted individual reports phishing attempt: A developer receives a malicious recruiting email and reports it to GitLab and Swiss GovCERT, leading to actions against the botnet.
  • 2026-06-08 — Campaign details published: Proofpoint and other sources publish findings on the UNK_DeadDrop campaign, detailing its methods and scope.
  • 2026-06-08 — GitLab removes malicious repository: GitLab confirms the removal of the malicious repository after being alerted by a targeted developer.

Related entities

  • UNK_DeadDrop (Apt Group)
  • Citrine Sleet (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Trojan (Attack Type)
  • Contagious Interview (Campaign)
  • Bybit (Company)
  • Radiant Capital (Company)
  • Wormhole (Company)
  • Education (Company)
  • Cursor (Company)
  • Zenity (Company)
  • North Korea (Country)
  • advinservers.com (Domain)
  • careerpredictto.space (Domain)
  • empowerpharmacy.space (Domain)
  • hr.mailpulsynk.xyz (Domain)
  • hr.predicttocareer.space (Domain)
  • hr.pulsynk.org (Domain)
  • hr.recruitvex.us (Domain)
  • hr.trixauvex.org (Domain)
  • hyperdevpipline.org (Domain)
  • kaiko.ai (Domain)
  • nxlog.tech (Domain)
  • ondofinance.tech (Domain)
  • predictcareertogether.space (Domain)
  • predicttocareer.space (Domain)
  • pulsnyk.org (Domain)
  • recruitptogether.xyz (Domain)
  • valorecuiting.online (Domain)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • Financial (Industry)
  • Technology (Industry)
  • 170.205.29.83 (Ipv4)
  • 23.137.105.75 (Ipv4)
  • AppleJeus (Malware)
  • Coldcat (Malware)
  • Overlord (Malware)
  • Simplesea (Malware)
  • Taxhaul (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Go (Mitre Attack)
  • Electron (Platform)
  • GitHub (Platform)
  • Gitlab (Platform)
  • Gnome Keyring (Platform)
  • GTK (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • Visual Studio Code (Platform)
  • Windows (Platform)
  • Foundry (Tool)
  • Google Chrome (Tool)
  • Node.js (Tool)
  • VS Code (Tool)
  • VSCodium (Tool)
  • Overlord C2 Framework (Tool)
  • Overlord Framework (Tool)
  • 2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f (Sha256)
  • 3b1ff1ac2120b0a9b852e686d10b4b2526d41f08c4c6361160efeefb588aaf77 (Sha256)
  • 4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d (Sha256)
  • 52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed