Freelance Developers Targeted By Cyberattack Campaign

Freelance software developers, particularly those involved in cryptocurrency projects, are being targeted by a sophisticated cyberattack campaign called DeceptiveDevelopment.

Researchers from ESET have uncovered that hackers, believed to be linked to North Korea, are impersonating recruiters to trick developers into downloading malicious software disguised as coding challenges or job interview tasks.

The attackers create fake profiles on popular job-hunting platforms like LinkedIn, Upwork, and Freelancer.com, posing as recruiters offering lucrative freelance opportunities.

They send potential victims a coding test or project, often hosted on platforms like GitHub, that contains hidden malware designed to steal sensitive information such as cryptocurrency wallets, login credentials, and browser data.

Once the developer downloads and runs the project, their computer is infected with malware called BeaverTail, which serves as the first-stage tool for data theft and downloading additional malicious software.

A second-stage malware, InvisibleFerret, is then deployed, giving attackers remote access to the victim’s computer and allowing them to extract even more information.

Freelance developers, especially those working on cryptocurrency and blockchain projects, are the primary targets, but the attackers do not discriminate based on location or experience level. Both junior and seasoned professionals have been affected, with victims reported worldwide.

North Korea-aligned hackers have a history of targeting cryptocurrency projects as a means of funding their operations.

By stealing crypto wallets and login credentials, they can directly access funds without the need to launder money through traditional banking systems, making developers in the crypto space particularly vulnerable.

ESET researchers advise freelance developers to be cautious when approached by recruiters offering coding challenges or projects. Verifying the recruiter’s profile for inconsistencies, such as a lack of connections or a newly created account, is essential.

Before running any code, developers should inspect it carefully for suspicious lines or hidden scripts, especially in long comments. Keeping antivirus software up to date can help detect and block malware, and avoiding downloads from unfamiliar sources can reduce the risk of infection.

DeceptiveDevelopment is part of a growing trend of cyberattacks targeting cryptocurrency users.

ESET researchers warn that the campaign is evolving, with attackers refining their techniques to make detection more difficult. Freelancers and developers are urged to remain vigilant and report any suspicious activity to cybersecurity professionals.