Fake recruiter campaign targets crypto developers
Fake recruiter campaign targets crypto developers
Fake recruiter campaign targets crypto developers with RAT | ReversingLabs
A new branch of a well-coordinated fake job recruitment campaign is targeting Javascript and Python developers via social channels.
ReversingLabs uncovered the "graphalgo" campaign by North Korea's Lazarus Group, active since May 2025, targeting crypto developers via fake job offers on LinkedIn, Facebook, and Reddit. Posing as firms like "Veltrix Capital," attackers provide GitHub tasks with malicious npm and PyPI dependencies (e.g., graphalgo, bigmathutils) that install RATs checking for MetaMask and enabling remote control. The modular setup uses indirect payload delivery for persistence, with IoCs including codepool.cloud and listed package hashes.