Lazarus Group Launches Cyber Attack on Web3 Developers

Lazarus Group Targets Web3 Developers in Sophisticated Cyber Attack featured

In Summary

  • Lazarus Group’s Operation 99 targets Web3 developers with fake LinkedIn profiles and malware-filled GitLab repositories
  • The malware steals data like source code and crypto keys, impacting Windows, macOS, and Linux
  • Victims span Italy, Argentina, Brazil, Egypt, and the US; attackers use “pay99” in malicious files
  • AI-generated profiles and realistic chats help North Korea steal funds via crypto theft


Catenaa, Wednesday, January 22, 2025 – A new cyber attack campaign linked to the North Korean Lazarus Group is exploiting the growing Web3 and cryptocurrency sectors, targeting freelance software developers with fake LinkedIn profiles to distribute malware. 

Known as Operation 99, the campaign begins with deceptive recruiters posing as potential employers on Social Media platforms, luring developers into testing projects and code reviews.

Once a victim engages, they are directed to clone a seemingly harmless GitLab repository.

However, the cloned code contains malware that connects to command-and-control servers, infiltrating the victim’s environment. 

Global victims have been identified, with a notable concentration in Italy.

Other impacted countries include Argentina, Brazil, Egypt, and the US.

The attackers use “pay99” labels in their malicious files, suggesting a well-organized scheme to steal sensitive data. 

Cybersecurity firm SecurityScorecard revealed that the operation targets developers to extract source code, secrets, and cryptocurrency wallet keys.

The malware architecture is flexible, capable of affecting Windows, macOS, and Linux systems. It includes tools to steal data from web browsers and monitor keystrokes, potentially leading to significant financial theft. 

This latest tactic builds on the Lazarus Group’s evolving methods, previously observed in earlier job-themed attacks like Operation Dream Job.

By leveraging AI-generated profiles and realistic communication, the attackers create highly convincing ruses to exploit human trust and curiosity, fueling North Korea’s financial goals through cryptocurrency theft.

Protected by Copyscape