North Korean hackers target crypto experts with fake Coinbase job offers

North Korea crypto

A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry.

A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.

According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.”

Coinbase is one of the world’s largest cryptocurrency exchange platforms, allowing Lazarus to lay the ground for a lucrative and enticing job offer at a prestigious organization.

When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named “Coinbase_online_careers_2022_07.exe,” which will display the decoy PDF document shown below when executed while also loading a malicious DLL.

The lure PDF file as seen on previewDecoy PDF displayed when running fake PDF executable(@h2jazi)

Once executed, the malware will use GitHub as a command and control server to receive commands to perform on the infected device. 

This attack chain is similar to one documented by Malwarebytes in a blog post at the start of the year.

Jazi told Bleeping Computer that Lazarus follows similar tactics and methods to infect their targets with malware, and the individual phishing campaigns feature infrastructure overlaps.

Other campaigns conducted by Lazarus in the past using fake job offers were for General Dynamics and Lockheed Martin.

Lazarus hackers targeting crypto

State-sponsored North Korean hacking groups are known for launching financially motivated attacks against banks, cryptocurrency exchanges, NFT marketplaces, and individual investors with significant holdings.

Earlier in the year, U.S. intelligence services warned about Lazarus spreading trojanized cryptocurrency wallets and investment apps that steal people’s private keys and siphon their holdings.

In April, the U.S. Treasury and the FBI linked stolen cryptocurrency from the blockchain-based game Axie Infinity to Lazarus, holding them responsible for stealing over $617 million worth of Ethereum and USDC tokens.

As revealed later, in July, the Axie Infinity hack was made possible thanks to a laced PDF file that supposedly contained the details of a lucrative job offer sent to one of the blockchain’s engineers.

Opening the file infected the engineer’s computer, enabling Lazarus to raise their privileges and move laterally in the firm’s network, eventually locating a vulnerability in the Ronin Bridge and triggering an exploit.

This same type of attack is likely what Lazarus is hoping to achieve in the latest Coinbase-lured campaign, as it would only take a single person in a company to open the PDF and enable the hackers to gain initial access to the corporate network.


  • leis Photo leis – 2 days ago

    So much for the ‘blockchain where nobody can steal your crypto…’

  • horsedoggs Photo horsedoggs – 2 days ago

    Anyone that invests in crypto is a fool. Eventually all crypto will be worthless. As the world moved to energy efficient ways of living crypto be comes more and more of an unnecessary and unsustainable product.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,072 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,898 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,225 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads


Related posts

Russian hackers use new info stealer malware against Ukrainian orgs

Sarah Henriquez

Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks

Sarah Henriquez

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches

Sarah Henriquez

Leave a Comment