North Korean hackers keep finding new ways in. A fresh phishing wave has hit hundreds of workers in finance, technology and cryptocurrency firms. The goal stays the same. Steal credentials, gain entry to networks and walk off with digital assets.
The latest campaign relies on email lures dressed up as job offers or code review requests. Attackers pose as recruiters or fellow developers. They direct targets to malicious repositories on GitHub. Once opened, the code drops infostealer malware. Wallets get drained. Corporate access is harvested. TechRadar reported the details on June 9, 2026.
Proofpoint researchers tracked the effort to a group they call UNK_DeadDrop. This actor operates in parallel with the better known Lazarus operation. The tactics look familiar yet show clear evolution. Instead of lengthy fake interviews on LinkedIn, these attackers favor quick unsolicited emails. No drawn out conversations. Just a link to a repo that does the damage.
“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint concluded. “The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.”
But this is only one thread. The broader pattern runs much deeper. For years North Korean teams have mixed direct hacks on exchanges with patient infiltration of companies. They apply for remote IT roles using stolen or fake identities. They pose as recruiters themselves. They run fake hiring processes that end in technical tests designed to pull source code, credentials and VPN access.
Chainalysis documented the scale in its 2026 Crypto Crime Report. North Korean actors stole $2.02 billion in cryptocurrency during 2025. That marked a 51 percent jump from the year before and pushed their cumulative total past $6.75 billion. Fewer incidents. Bigger hauls. The shift reflects growing sophistication.
They embed IT workers inside crypto services to gain privileged access. More recently they have flipped the model. They impersonate recruiters for prominent web3 and AI firms. The fake interview becomes the weapon. Targets run code or share details that open doors to their current employers. Executives face similar approaches disguised as investor outreach or acquisition talks.
These operations feed straight into state coffers. The funds help Pyongyang skirt sanctions and bankroll its weapons programs. U.S. and South Korean officials have warned the industry repeatedly. Yet the attacks continue. And they grow more efficient.
Earlier efforts under names like Contagious Interview and Operation DreamJob showed the template. Hackers created entire fake companies and personas on LinkedIn. They offered high paying roles in hot areas like blockchain and artificial intelligence. Candidates received trial assignments hosted on GitHub. The code contained malware. Once inside a victim’s machine the attackers grabbed wallet data, corporate logins and more.
Reuters examined one such wave in September 2025. At least 230 people received the lures between January and March that year. The targets included coders, influencers and executives. Some lost thousands in crypto after their machines were compromised. One victim watched Ether and Solana tokens vanish after completing what looked like a legitimate coding test.
The fake interview process often moved to obscure websites or video calls. Recruiters asked for screen sharing or code execution under the guise of skills assessment. Victims thought they were interviewing with legitimate blockchain projects. They were handing over the keys.
So the UNK_DeadDrop campaign fits a pattern that has been refined over time. Mass email blasts replace personalized LinkedIn messages in some cases. Self contained payloads reduce reliance on known toolkits. The effect remains identical. Compromised developers become bridges into richer targets. One foothold can yield wallet access, customer data or even the ability to push malicious updates.
Industry numbers paint a sobering picture. Global crypto theft reached $3.4 billion in 2025. North Korea claimed the lion’s share. In early 2026 their dominance grew even sharper. TRM Labs and others reported the group behind roughly 76 percent of stolen funds through the first four months, often from just two or three high profile incidents.
But volume of attacks matters less than precision. Social engineering now drives most successes. Technical vulnerabilities in smart contracts still get exploited. The human element however proves far more reliable. Workers under pressure to change jobs or showcase skills make perfect marks.
Companies in decentralized finance sit especially exposed. Many operate with lean teams and remote cultures. They prize speed over stringent background checks. That creates openings. A single hired contractor with a fake resume can sit inside the organization for months before anyone notices odd behavior.
U.S. authorities have brought charges in some cases. The Justice Department detailed schemes in which North Korean operatives used stolen identities to land remote IT jobs at American firms, including blockchain companies. They drew salaries. They stole crypto on the side. One Atlanta based blockchain research outfit lost more than $900,000.
Yet enforcement lags the pace of innovation on the attacker side. New groups appear. Tactics adapt. UNK_DeadDrop’s move toward bulk phishing signals a possible division of labor. Some teams chase big exchange heists. Others grind away at individual developers and mid sized projects. The aggregate result funds the same regime.
Defenders face hard choices. Training helps but only to a point. Technical controls such as strict code execution policies and endpoint detection catch some payloads. They miss others. The most effective barrier may be cultural. Companies must treat every unsolicited job related contact with suspicion. They must verify identities through multiple channels. They must limit what candidates can run or access during interviews.
That sounds basic. It is. But the evidence shows many organizations still fall short. High salaries in crypto attract talent. They also attract operators willing to spend weeks building believable backstories.
The latest Proofpoint findings highlight another worrying trend. North Korean aligned activity appears to be industrializing. Larger campaigns. Less reliance on labor intensive social engineering. Automated elements mixed with human oversight. If that model scales further the volume of compromised developers could jump dramatically.
And the stolen funds rarely sit still. Mixers, bridges and over the counter desks help launder the proceeds. Some ends up supporting luxury purchases or operational costs for the hacking teams themselves. Most flows back to the state.
Blockchain analysis firms continue to trace the money. They watch clusters of addresses tied to known Lazarus wallets. They see patterns repeat. Yet the actors evolve their laundering techniques just as quickly as their initial access methods.
For technology leaders in crypto the message is clear. The threat is not abstract. It is not confined to large exchanges. It reaches individual contributors, engineering managers and anyone with wallet keys or network privileges. Hundreds have already been targeted in the latest wave alone. Thousands more sit in the crosshairs.
Short term vigilance can blunt the attacks. Long term the industry may need structural changes. Stronger identity verification for remote roles. Better segmentation of sensitive systems. Reduced dependence on single points of compromise. None of it is easy. All of it is necessary.
Because the operators in Pyongyang show no sign of slowing down. Their success rate improves. Their toolkit expands. And the money keeps flowing.
North Korean Phishing Nets Expand: Hundreds of Tech Workers Lured in Fresh Bid for Crypto Access first appeared on Web and IT News.