North Korean threat actors impersonate Coinbase with fake job offers for crypto pros

by Arthur · August 10, 2022

The Lazarus cybercrime group has been observed posting fake job adverts for cryptocurrency giant Coinbase. (Photo by Edward Smith/Getty Images)

A formidable hacker group based in North Korea has posed as cryptocurrency giant Coinbase with fake job ads targeting professional online payment services.

Last weekend, North Korea was infamous Lazarus cybercrime ring was discovered to be the source of several job postings, primarily posted on the business networking site LinkedIn, that claimed to be soliciting to fill positions at Coinbase. This type of attack uses a combination of fake online advertising, online networking, and even basic phone conversation discussions to perform a social engineering attack that can obtain personal information about financial technology professionals and potentially credentials that could lead to access at their current workplace.

“A new job offer from a reputable company is enough to entice a lot of people to click on something they shouldn’t,” said Paul Bischoff, privacy counsel for Comparitech. “However, while a few companies use headhunters, in most cases companies will not proactively reach out to recruit.”

This recent fake job campaign is just the latest in a series of attacks by Lazarus, which has been operating for more than a dozen years. Earlier this year, the North Korean Advanced Persistent Threat Group was found to be impersonating aerospace company Lockheed Martin with a similar job posting scam, according to research by the Malwarebytes Threat Intelligence team.

Also, this is definitely not an isolated incident, as there have been almost daily cyber attacks on cryptocurrency sites or their customers or employees in recent weeks. Many cryptocurrency firms have been targeted by hackers, who can see potential chinks in the armor of even the largest and most respected of these payment interests with the recent roller coaster of crypto valuations.

Chris Hauk, consumer privacy champion at Pixel Privacy, pointed out that the Coinbase attack (like the one involving Lockheed Martin) uses the proven method of social engineering, “which has long been a danger on LinkedIn.”

“LinkedIn users need to be on guard for social engineering attacks like this,” Hauk added. “By posing as Coinbase recruiters, the crooks are taking advantage of today’s job market and constant mention of cryptocurrency companies in the daily news cycle.”

As one of the largest crypto exchange platforms, many victims view potential job postings as credible and attractive – so they refrain from downloading a malicious PDF file to read more about the job. The fake Lazarus job file provides a fake job description, while the malware uses the victim’s GitHub to download information and access the victim’s files.

Bischoff and Hauk both recommend that professionals in the cryptocurrency and fintech and payments space practice what they preach and exercise a healthy dose of suspicion with incoming job offers, even from well-respected websites.

“Be sure to research and investigate all positions,” Hauk said, “using your contacts to find the truth of any company that is allegedly reaching out.”

Bischoff said that unsolicited job offers “should be a red flag treated with skepticism and caution.” He added that potential employees should “never open links or attachments in unsolicited messages or emails, and always check the file type and extension before opening.”