Cybersecurity News in Asia

Features
- Featured
  
  How AI is supercharging state-sponsored threat actors in Asia Pacific
  
  Wednesday, January 14, 2026, 4:06 PM Asia/Singapore | Features
- Featured
  
  Leveraging digital twins to combat rising AI-powered threats
  
  Thursday, January 8, 2026, 1:58 PM Asia/Singapore | Features
- Featured
  
  Editor's pick: Cybersecurity trends in 2026
  
  Wednesday, January 7, 2026, 10:36 AM Asia/Singapore | Cyberthreat Landscape, Features, Newsletter
Opinions
Tips
Whitepapers
Awards 2025
Directory
E-Learning

North Korean hackers target crypto developers, steal billions using sophisticated malware

By CybersecAsia editors | Thursday, April 24, 2025, 10:26 AM Asia/Singapore

Dangling fake job offers and rigged coding tests to lure applicants, a state-sponsored threat group has been looting billions in cryptocurrencies.

Threat researchers have found that North Korean state-sponsored hackers have been waging a sophisticated campaign against cryptocurrency developers, exploiting professional networking and coding platforms to deliver custom malware that can evade traditional detection tools.

The threat group is believed to have stolen over US$1bn from the cryptocurrency sector in 2023 alone, including a US$1.5bn heist from a Dubai-based exchange, and a US$308m theft from a Japanese firm.

Attackers have posed as recruiters on professional career networking platforms, targeting developers with enticing job offers. After initiating contact, the malicious actors send a PDF with a job description, followed by a coding challenge hosted on GitHub. These repositories appear legitimate but have been secretly modified to include malicious code, typically in Python or JavaScript, tailored to each victim’s expertise.

Method of attack

Once a developer runs the code, two custom malware strains — RN Loader and RN Stealer — are deployed.

RN Loader collects system information and executes further malicious payloads
RN Stealer is designed to harvest sensitive data such as SSH keys, cloud credentials and even iCloud Keychain data on macOS systems.

The malware uses advanced evasion techniques such as YAML deserialization and Embedded JavaScript templating to run in memory, minimizing its footprint and making detection difficult.

A key feature of this campaign is its selectivity: the malicious payloads are only delivered after the attackers verify the victim’s IP address, geolocation, and system configuration, ensuring that only high-value targets are compromised. The attackers are also mimicking legitimate infrastructure, using Command-and-Control servers that resemble normal web traffic to avoid raising suspicion.

The campaign has prompted platforms such as LinkedIn and GitHub to remove accounts and repositories linked to the threat group.

Security experts from Palo Alto’s Unit 42, the teams uncovering and monitoring the North Korean threat group, advise developers to be wary of unsolicited job offers and coding challenges, to separate personal and work devices, and to carefully vet any external code before execution.