North Korean hackers use fake coding tasks to steal crypto

A likely North Korean threat actor has phished software developers at almost 100 organizations with fake job and code-review lures to steal cryptocurrency and credentials.

According to new analysis from Proofpoint, which tracks the cluster as UNK_DeadDrop, the campaign sent more than 250 emails in April and May 2026. Targets were mostly US-based and worked in technology, education or finance, with a focus on cryptocurrency firms.

Each email linked to a GitHub or GitLab repository dressed up as a coding assignment, with instructions to clone it and open the folder in an editor such as VS Code or Cursor.

Read more at Infosecurity Magazine