Lazarus hackers are luring crypto experts with fake Coinbase job offers

Lazarus hackers are luring crypto experts with fake Coinbase job offers

North Korea-linked Lazarus APT has been observed targeting experts in the fintech industry with a new social engineering campaign that involves fake Coinbase job offers laced with malware.

Since Coinbase is one of the world's largest cryptocurrency exchange platforms, a potential opportunity to land a job with one of the most recognizable names in the industry can lure many crypto experts thus providing the Lazarus hackers with a large pool of potential victims.

The fake job ad spotted by Malwarebytes researcher Hossein Jazi, was titled ‘Engineering Manager, Product Security,’ indicating North Korean hackers are interested in particular types of victims.

Once the victim downloads a what appears to be a PDF document allegedly containing details on the job position, the file named “Coinbase_online_careers_2022_07.exe” is downloaded, which will display the decoy PDF document while also deploying malware on the victim’s device.

Once executed, the malware will use GitHub as a command and control server to receive commands to execute on the infected device.

Earlier this month, security researchers warned that suspected North Korean hackers are plagiarizing resumes and pretending to be from other countries to raise money for the North Korean government. The scammers browse job listings on LinkedIn and Indeed and incorporate details they find in legitimate profiles into their own resumes in attempt to get hired by US cryptocurrency companies.

Back to the list

Latest Posts

Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025
Qantas alerts customers to potential data breach after third-party cyberattack

Qantas alerts customers to potential data breach after third-party cyberattack

Attackers accessed and exfiltrated data from the compromised platform.
2 July 2025