North Korean hackers use LinkedIn and Upwork to extort money from 'freelancers'
North Korean hackers have come up with a new way to steal cryptocurrencies from software engineers and developers looking for work through recruitment platforms.
February 22, 2025 06:59
Impersonating recruitment specialists
According to a report on the X network by security company ESET , North Korean hackers are posing as recruitment specialists to attract the attention of software engineers and developers, with their main goal being to steal cryptocurrencies.
How it works
Hackers pose on job search platforms like LinkedIn and Upwork as recruitment agents looking for freelance software engineers or developers in the cryptocurrency or financial sectors.
Unsuspecting job seekers may contact them themselves, or hackers may be the first to offer a supposed job opportunity.
They then ask you to complete a pilot project, providing tasks that hide malware designed to steal information - a process called "DeceptiveDevelopment."
The scheme requires developers to perform a programming test, such as adding a new feature to an existing project. The required files are usually placed in private repositories on GitHub or other similar platforms.
When a candidate downloads and runs the infected files, their computer becomes vulnerable and the first stage of the malicious operation, the BeaverTail virus, is installed on it.
Victims of these attacks are found all over the world, using various operating systems.
"We have recorded hundreds of different victims worldwide, including users of all major operating systems: Windows, Linux, and macOS. Victims range from novice freelance developers to experienced professionals in the field," ESET commented.
History
ESET first noticed this DeceptiveDevelopment campaign in early 2024 when it discovered trojanized projects hosted on GitHub with malicious code hidden at the end of long comments.
These projects distribute the BeaverTail and InvisibleFerret malware, which steal cryptocurrencies and other personal information, potentially for espionage purposes.
Such attacks have become quite common on the GitHub platform.