The North Korean Lazarus hacking group is now using fake ‘Crypto.com’ job offers to hack developers and artists in the crypto space, likely with a long-term goal of stealing digital assets and cryptocurrency. Crypto.com is one of the world’s leading cryptocurrency exchange platforms. The company gained attention in 2021 when it purchased and rebranded the Los Angeles Staples Center arena into ‘Crypto.com Arena’ and began a series of TV advertisements promoting the service. The Lazarus hacking group has been running a campaign dubbed ‘Operation In(ter)ception’ since 2020, where they target people working in the cryptocurrency industry. The threat actors’ goal is to trick targets into opening malicious files that infect systems with malware that can be used to breach the internal networks of crypto companies to steal large amounts of cryptocurrency, NFTs, or conduct espionage. In August 2022, Lazarus targeted IT workers with malicious job offers that impersonated Coinbase and targeted users with Windows or macOS malware. In a new report by Sentinel One, the hackers have now switched to impersonating Crypto.com in their phishing attacks using the same macOS malware seen in previous campaigns. Lazarus typically approaches their targets via LinkedIn, sending them a direct message to inform them of a lucrative job opening in a large company. Like the previous macOS campaigns, the hackers sent a macOS binary posing as a PDF containing a 26-page PDF file named ‘Crypto.com_Job_Opportunities_2022_confidential.pdf’ that contains alleged job vacancies at Crypto.com. It is likely that Lazarus will soon switch to impersonating a different company while keeping the rest of the attack elements largely unmodified.
Those that work within crypto firms should be vigilant with unsolicited job offers on LinkedIn, especially those that contain suspicious attachments.