Attackers use recruiter-style lures, code-review requests and platform-specific malware to steal crypto wallets, browser logins and credentials from coding applicants.

A North Korea-linked phishing campaign has evolved beyond earlier threat groups’ tactics, to target developers and steal cryptocurrency wallet data and credentials by abusing code repositories, Visual Studio Code workflows, and malicious VS Code extensions.

The operation ran from April to May 2026 and hit almost 100 organizations across technology, education, business services and financial services, with a particular focus on cryptocurrency-related firms.

To lure victims (developers) into cloning attacker-controlled repositories hosted on GitHub and GitLab,  the campaign relied on recruiter-style messages, code-review requests and technical assignments. In some cases, the projects looked like open-source tools or crypto-related work; in others, they posed as job applications or smart-contract testing tasks.

Once the repository was opened in a code editor, a hidden task could launch malware automatically, install a rogue extension and begin stealing wallet data, browser credentials and desktop wallet files.

The lures in the campaign had changed over time, moving from fake developer job offers in late April and early May to requests for peer review, Foundry testing and AI payments work. The repositories were repeatedly rebuilt and updated, suggesting an active campaign rather than a static phishing kit.

Also, the malware deployed behaved differently by platform:

  • On macOS and Linux, it used Go-based binaries tied to a persistent remote-access framework.
  • On Windows platforms, it ran inside the editor’s own Electron process and avoided dropping a conventional executable.

The code targeted browser-stored logins, crypto wallets, cookies and system keychains, and tried to remove traces from the victim’s workspace after execution.

According to researchers from Proofpoint who discovered and tracked the campaign, the latter shares traits with earlier North Korea-linked operations aimed at developers, but noted differences in delivery, scale and tradecraft that justify tracking it as a separate cluster. The latest tactics reflect “maturing and evolving” techniques as attackers industrialize recruitment-themed phishing for financial gain.