The Lazarus Group, a North Korea-linked hacking organization known for high-profile cyberattacks like the WannaCry ransomware, has launched a new operation called Operation 99. This campaign targets software developers in the Web3 and cryptocurrency sectors, aiming to steal sensitive information and deploy malware.
According to Ryan Sherstobitoff, Senior Vice President at SecurityScorecard, the attack starts with fake recruiters on LinkedIn. These recruiters trick developers by offering fake project tests and code reviews. Victims are then directed to download malicious code from a fake GitLab repository. This code secretly connects to the attackers’ servers and installs malware on the victim’s systems.
Most victims are in Italy, likely because of the country’s active Web3 and cryptocurrency developer community. Italy’s large number of freelance developers working on blockchain projects may have made them more susceptible to these types of attacks. Victims have also been identified in countries like Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S., highlighting the global reach of the campaign. The operation was discovered on January 9, 2025, and builds on similar tactics used in previous Lazarus campaigns, such as Operation Dream Job (NukeSped). However, Operation 99 introduces a new level of sophistication by targeting developers with fake coding projects.
The attack uses fake LinkedIn profiles to lead victims to compromised GitLab repositories filled with malicious code. These repositories are designed to look legitimate, luring victims into downloading harmful programs. The main goal of Operation 99 is to steal source code, cryptocurrency wallet keys, and other sensitive information from development environments, ultimately enabling the Lazarus Group to access significant financial assets.
The malware used in this campaign is highly sophisticated and includes several components:
- Payload99/73 and Payload5346: These components collect system information such as files and clipboard data, terminate web browser processes, execute commands, and maintain persistent connections to the attackers’ servers. Their capabilities allow for deep infiltration of the victim’s environment.
- Brow99/73: This payload specifically targets web browsers to steal login credentials and other sensitive information, facilitating further exploitation.
- MCLIP: This module monitors and exfiltrates keyboard and clipboard activity in real-time, allowing attackers to capture sensitive data as it is being typed or copied.
SecurityScorecard has warned that compromising developer accounts can lead to severe consequences, including the theft of intellectual property and cryptocurrency. Private keys and credentials stolen through this campaign can result in millions of dollars in digital asset losses, aligning with the Lazarus Group’s strategy to fund North Korea’s governmental ambitions.
The malware’s architecture is modular, highly adaptable, and compatible with Windows, macOS, and Linux operating systems. This flexibility demonstrates the advanced skills of the Lazarus Group and their ability to adapt to different environments.
“For North Korea, hacking is a key way to generate money,” Sherstobitoff explained. “The Lazarus Group has stolen massive amounts of cryptocurrency to fund their government’s ambitions. With the growing popularity of Web3 and cryptocurrency, Operation 99 focuses on these booming industries.”
This campaign showcases the increasing sophistication of nation-state cyber threats. By leveraging fake professional profiles, deceptive repositories, and advanced malware, Operation 99 serves as a stark reminder of the importance of robust cybersecurity measures. Professionals and organizations in the Web3 and cryptocurrency industries, along with those in other technology fields, must stay alert and implement robust defenses to counter these persistent and evolving threats.
References
https://niccs.cisa.gov/cybersecurity-career-resources/news
https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html
https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developer
This is such a wake-up call! Operation 99 shows just how sophisticated threats from groups like Lazarus have become. Using fake LinkedIn recruiters and GitLab repositories to target Web3 developers is alarming.
It’s a strong reminder for developers to verify recruiters and sources before downloading anything and for companies to focus on training and tighter security controls. Kudos to SecurityScorecard for exposing this campaign—spreading awareness like this is key to staying ahead of these threats! Stay cautious and safe, everyone!
Well said, Saniya! Verification is absolutely crucial in every facet of the modern world we live in. Nothing should be overlooked!
Dag-Emmanuel, your post provided a clear and detailed analysis of Operation 99 and the innovative tactics of the Lazarus Group. What stood out to me was the use of fake LinkedIn profiles and coding projects to infiltrate developer environments.
The technical breakdown of the malware components, like Payload99/73 and MCLIP, was particularly enlightening. This post is a crucial reminder for Web3 professionals to prioritize robust cybersecurity measures.
Informative Post, Dag-Emmanuel! I’m impressed by the Lazarus Group’s competence at using social engineering to their advantage by using fake GitLab repositories and recruiters to deceive developers. However, it also indicates a high degree of technological competence because the operation injects malicious code using a fake GitLab repository. To protect against attacks like Operation 99, a combination of continuous education, strong security practices, and technical awareness is necessary throughout the process of developing software.
This event highlights the critical need for a zero-trust mindset and the use of sandbox environments for every activity. While Square offers a sandbox browser, a fully sandboxed environment for code development would be ideal. GitHub has recently implemented such features to help mitigate these risks.
Great post Dag!
This post shows how these attackers can be very skillful planning, choosing their targets, and executing their mission! This is why the need for security awareness training and exercises is not just for organizations with networks and systems, its for everyone. Imagine a jobseeker been used as an attack vector without their knowledge! That’s absurd!
Good work Dag!! Your research underscores the rising threat posed by nation-state cyber actors like the Lazarus Group, whose evolving tactics now specifically target Web3 and cryptocurrency developers. Because sophisticated social engineering and malware deployment might jeopardise important intellectual property and financial assets, Operation 99 emphasises the need for increased vigilance. To counter such high-stakes risks, it is crucial to strengthen cybersecurity defences, confirm recruiting identities, and carry out comprehensive code audits.