logo

Suspected North Korean actors use fake ‘coding assignments’ to steal crypto

ID: b408f578-7ee5-5f23-ab7a-f9f793424dcb

STIX ID: report--b408f578-7ee5-5f23-ab7a-f9f793424dcb

Feed Name: Proofpoint Blog

Threat Score
78/100

Date Published: 2026-06-09

Date Updated: 2026-06-13

...
...

## Executive summary Proofpoint observed a suspected North Korean cluster called UNK_DeadDrop using fake recruiter messages and malicious GitHub/GitLab repos as coding assignments to infect developers across ~100 companies with cross-platform malware that exfiltrates cryptocurrency wallets and credentials; the campaign abuses VS Code/Cursor task automation and VSIX extensions for execution and persistence and leverages an Overlord Go RAT on macOS/Linux and a JavaScript infostealer on Windows.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.