CSIS argues that North Korean cyber operations, alongside activity from China and Russia, are creating a transnational threat environment that current U.S.-ROK cyber cooperation is not yet structured to deter or withstand. The core recommendation is a joi…
« Reports in 2026
416 reports
Nisos links DPRK IT worker employment fraud to active targeting of cryptocurrency companies, using a suspected operative who applied for a remote Lead AI Architect role as a case study. The investigation tied the applicant to stolen or appropriated U.S. i…
The episode follows a DPRK-linked fake interview in which a malicious contractor-style repository behaved like normal development work until it contacted attacker infrastructure. The lure depended on developer trust in workspaces, dependency installation,…
Red Asgard ties the Hetzner host at 195.201.104.53 to more than BeaverTail FTP exfiltration, showing it also exposed six Express.js services on non-standard ports. Port 21 ran FileZilla Server 1.12.1 with TLS session resumption enforced and held seventy v…
Two U.S. nationals helped DPRK remote IT workers pose as U.S.-based employees by receiving company laptops, hosting them at their residences, and installing remote desktop software for overseas co-conspirators. The Justice Department said the separate sch…
Attackers exploited LayerZero Labs infrastructure on 18 April 2026, causing more than $300 million in losses across DeFi protocols and prompting two additional forged transactions totaling over $100 million before Kelp paused contracts. The excerpt says i…
ScarCruft compromised a Yanbian-focused gaming platform in a supply-chain attack aimed at ethnic Koreans in China's Yanbian region, an area linked to North Korean refugees and defectors. The Windows client was affected through a malicious update that led …
OpenSourceMalware reports that DPRK Contagious Interview and TaskJacker operators are hiding a second-stage loader inside Git pre-commit hooks instead of prior locations such as VS Code tasks, package postinstall scripts, or fake font files. The hook fing…
Aave LLC’s court filing seeks to vacate a restraining notice served on Arbitrum DAO in litigation involving plaintiffs against the Democratic People’s Republic of Korea. The memorandum says the restrained assets relate to the rsETH Incident and the April …
A five-package npm cluster used Cloudflare Pages and Workers infrastructure to deliver PylangGhost RAT. The packages shared related maintainer names, email patterns, publish timing, and dependency links, leading the source to assess they were likely opera…
BlueNoroff is using fake Zoom meetings, deepfake participant media, and ClickFix clipboard injection to target cryptocurrency and Web3 executives. The attack starts with Calendly-based social engineering and typo-squatted meeting domains, then tricks vict…
Plausible Deniability pivots from Team Cymru's reporting on DPRK IT worker infrastructure to identify a possible related Luckyguys cluster centered on luckyguys[.]cloud. The domain was registered close to luckyguys[.]site through the same registrar, hoste…
DomainTools characterizes DPRK Contagious Interview activity as a Lazarus developer-workflow compromise model that turns fake recruiting and coding assessments into initial access. Victims are pushed to clone and run repositories that hide malicious logic…
TRM Labs attributes about USD 577 million in 2026 crypto theft through April to North Korean hacking groups, with Drift Protocol and KelpDAO accounting for 76% of all crypto hack losses in that period. The Drift attack involved weeks of on-chain staging, …
HexagonalRodent is presented as a DPRK-attributed crypto-theft operation overlapping with Famous Chollima, Contagious Interview, and the broader Lazarus/TraderTraitor ecosystem. The campaign targets Web3 and DeFi developers through AI-generated LinkedIn r…