Crypto exchange Crypto.com is the latest target of a fraudulent job advertisement scheme by the North Korean-linked hacker group Lazarus.
The malware attack encourages members of the crypto community to download a PDF document showcasing the open vacancies at Crypto.com including a Singapore-based Art Director role, among others, according to a report from cyber security firm Sentinel One.
When the interested candidate proceeds to download the PDF job description, they unknowingly fall victim to a trojan horse attack in which their personal data and financial information are compromised.
More recently in August, Lazarus also executed a similar scheme by targeting candidates with direct message job offers on LinkedIn for an Engineering Manager, Product Security position at crypto exchange Coinbase.
As showcased by security research firm ESET, the bundle of three files that incorporated the malware software was disguised as a career document for a Coinbase role.
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil ??. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT
— ESET research (@ESETresearch) August 16, 2022
While the exact intentions of the group are unknown, it is presumed that gaining access to crypto funds and sensitive information on exchanges is the priority.
Decrypt reached out to Crypto.com for comment, but has yet to hear back at the time of publication.
Lazarus Group and crypto
In April this year, the United States Treasury Department accused Lazarus of coordinating the $622 million attack on the Ronin Bridge—an Ethereum sidechain that supports the popular blockchain game Axie Infinity—issuing a blacklisted status to the wallet address and placing it on an official sanctions list.
Over the past few years, the North Korean government and associated security services have denied any involvement with Lazarus.
In February, a United Nations report indicated that a portion of the Hermit Kingdom’s nuclear and ballistic missile programs were funded by cyberattacks and cryptocurrency exchanges.