Threat Management, Threat Management

North Korean threat actors imitate Coinbase with fake job offer for crypto pros

The LinkedIn app is seen on a mobile phone.
The Lazarus cybercrime group has been observed posting fake job listings for cryptocurrency giant Coinbase. (Photo by Edward Smith/Getty Images)

A formidable hacking group based in North Korea has been posing as cryptocurrency giant Coinbase with phony job postings targeted to online payments professionals.

Last weekend, North Korea’s infamous Lazarus cybercrime ring was discovered to be the source of several job ads, primarily posted on business networking site LinkedIn, which claimed to be soliciting to fill positions at Coinbase. This kind of attack uses a combination of false online advertising, online networking, and even basic phone call discussions to execute a social engineering attack that could garner personal information about financial technology professionals and potentially credentials that could lead to access at their current workplace.

“A new job offer from a renowned firm is enough to entice a lot of people to click on something they shouldn't,” said Paul Bischoff, privacy advocate for Comparitech. “But even though a few companies use headhunters, in most cases businesses will not proactively reach out to recruit.”

This recent fake-job campaign is just the latest in a series of attacks from Lazarus, which has been operating for more than a dozen years. Earlier this year, the North Korean advanced persistent threat group was found to be impersonating aerospace corporation Lockheed Martin with a similar job posting scam, according to research from the Malwarebytes Threat Intelligence team.

Also, this is most definitely not an isolated incident, as there have been almost daily cyber-assaults on cryptocurrency sites or their customers or employees in recent weeks. Many cryptocurrency firms have been targeted by hackers, who may see potential chinks in the armor of even the largest and most respected of these payments interests with the recent roller-coaster ride of crypto-valuations.

Chris Hauk, consumer privacy champion at Pixel Privacy, pointed out that the Coinbase attack (like the one involving Lockheed Martin) uses the tried-and-true method of social engineering, “which has long been a danger on LinkedIn.”

LinkedIn users must be alert for social engineering attacks such as this,” Hauk added. “By posing as Coinbase recruiters, the bad guys take advantage of today's job market and continual mention of cryptocurrency companies in the daily news cycle.”

As one of the biggest crypto-exchange platforms, many victims see potential job postings as believable and attractive — so they let their guard down to download a malicious PDF file to read more about the job. The fake Lazarus job file offers up a false job description, while the malware utilizes the victim’s GitHub to download information and gain access to the victim’s files.

Bischoff and Hauk both recommend that professionals in the cryptocurrency and financial technology and payments realm practice what they preach and exercise a healthy dose of suspicion with incoming job offers, even from well-respected sites.

 “Be sure to investigate and vet any job positions,” Hauk said, “using your connections to help determine the veracity of any companies allegedly reaching out.”

Bischoff said that unsolicited job offers “should be a red flag treated with skepticism and caution.” He added that prospective employees should “never open links or attachments in unsolicited messages or emails, and always check the file type and file extension before opening.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.