HiSolutions linked a fall 2024 cryptocurrency theft against a software developer environment to the North Korea linked Contagious Interview campaign. Initial access chained a malicious BeaverTail loader from a private GitHub repository through api.npoint.io, followed by InvisibleFerret and deployment of the Tsunami framework. The Tsunami tooling used Tor and Pastebin for command and control, installed Python where needed, created startup and scheduled task persistence, added Windows Defender and firewall exclusions, and dropped components such as a Runtime Broker installer. The framework was still under development and included multiple credential stealers and cryptominers, showing continued expansion of DPRK crypto theft tooling.