← UNK_DeadDrop North Korea Developer Phishing Campaign1 decision on this page

Audit log

Every state-changing event for UNK_DeadDrop North Korea Developer Phishing Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-06-14 17:03:52Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 426,458,080
sig
3UbgewJuErdj…hs3xuruLexplorer ↗
hash
D7vU3e1abLVs…aad86YTtsha256 → base58
verifying row…full verify ↗
canonical bytes (17894 B) ▸
{"actor":"system:backfill","investigation_id":"69ff48ea-7855-4146-b98b-3e2d4bcf06c8","kind":"publish","page_slug":"unk-deaddrop-north-korea-developer-phishing-campaign","published_at":"2026-06-14T17:03:52.770Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"UNK_DeadDrop North Korea Developer Phishing Campaign","sections":[{"content":"Proofpoint Threat Research disclosed the UNK_DeadDrop campaign on June 8, 2026, assigning the activity to a very likely North Korea-aligned threat actor. The designation 'UNK_DeadDrop' is Proofpoint's internal tracking label for this cluster. Researchers noted thematic and operational similarities to the previously documented Contagious Interview group (also attributed to DPRK-aligned actors and sometimes referred to under the Lazarus umbrella), but found no direct telemetry overlap and classified UNK_DeadDrop as a distinct operation. Key differentiators cited by Proofpoint include: (1) initial contact via email rather than LinkedIn; (2) unsolicited job offers and code-review requests rather than staged fake interviews; and (3) a self-contained payload framework distinct from those observed in Contagious Interview activity. The campaign ran for approximately six weeks across April and May 2026, suggesting organized, sustained resourcing rather than an opportunistic one-off.","heading":"Campaign Overview and Attribution","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":1,"name":"Norks blast 250+ fake job offers to developers over 6 weeks — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"}]},{"content":"Over the six-week campaign window in April and May 2026, the threat actors sent more than 250 highly targeted phishing emails to individuals working across approximately 100 organizations. Targets were primarily US-based and concentrated in the technology, finance, education, and cryptocurrency sectors. Software developers represented the primary victim profile. Proofpoint's reporting identified cryptocurrency firms as a specific area of focus, consistent with the campaign's objective of draining digital-asset holdings. Impersonated entities used as lures in the emails included Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish, among others — legitimate organizations whose names and branding were used without authorization to lend credibility to the job-offer pretexts.","heading":"Scale and Target Profile","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":1,"name":"Norks blast 250+ fake job offers to developers over 6 weeks — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"}]},{"content":"The infection chain began with phishing emails carrying one of two social-engineering pretexts: (1) fake job offers for developer roles at impersonated legitimate companies, or (2) code-review requests asking the target to evaluate an open-source project. Both pretexts directed recipients to actor-controlled GitHub or GitLab repositories that appeared to contain legitimate coding assignments or cryptocurrency-related projects. Inside each repository, the attackers embedded a hidden tasks.json configuration file — abusing a legitimate Visual Studio Code and Cursor editor feature that automatically runs pre-configured workspace tasks when a folder is opened. This technique requires minimal or no additional user interaction beyond cloning and opening the repository, substantially lowering the barrier to successful execution. Later phases of the campaign also deployed malicious VS Code extensions (VSIX files) disguised as Google services; these extensions persisted across editor restarts, providing a durable foothold. The use of both GitHub and GitLab as hosting infrastructure allowed the actors to exploit the implicit trust developers place in major code-repository platforms.","heading":"Attack Chain and Delivery Mechanism","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":2,"name":"North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/north-korea-aligned-hackers-abuse-github-repositories/"}]},{"content":"The campaign deployed cross-platform malware tailored by operating system. On Linux and macOS systems, the infection chain executed Go-language binaries derived from Overlord, an open-source Go command-and-control framework. The attackers incorporated custom Overlord modules including browserlogin (for browser credential extraction), companywallet (for cryptocurrency wallet targeting), and cleanup (to remove forensic artifacts). On Windows systems, a JavaScript-based payload was delivered that ran directly inside the VS Code editor's Electron process, leaving minimal file-system artifacts. Across all platforms, the malicious VSIX extension — disguised as a legitimate Google service plugin — provided persistence by surviving editor restarts. The infection chain incorporated anti-forensic cleanup steps: after deployment, the malicious payloads and the hidden folder were deleted from the cloned repository, reducing the likelihood of post-infection detection from file-system inspection alone.","heading":"Malware: Overlord Framework and Platform-Specific Payloads","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":1,"name":"Norks blast 250+ fake job offers to developers over 6 weeks — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"}]},{"content":"The malware's data-collection capabilities were broad and specifically engineered to target the asset categories most valuable to a financially motivated DPRK-aligned operation. On the cryptocurrency side, the Overlord-based payload targeted 35 browser-based cryptocurrency wallet extensions — including MetaMask, Phantom, and Keplr — and 18 standalone desktop wallet applications including Exodus, Electrum, and Ledger Live. On Linux and macOS, fake system-level password dialogs were displayed to harvest user credentials, which were then used to access OS keychains or keyrings for privilege escalation and further secret extraction. Browser data exfiltration covered saved passwords and session cookies from Chrome, Brave, Edge, and Firefox. API tokens and developer credentials stored in the environment were also among the stated theft objectives. The combined scope — covering browser wallets, desktop wallets, OS keychains, browser stores, and developer API credentials — reflects a comprehensive, multi-layered asset-harvesting capability designed to maximize yield per compromised developer.","heading":"Credential and Cryptocurrency Theft Capabilities","severity":"critical","sources":[{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"}]},{"content":"Proofpoint situates UNK_DeadDrop within a longer pattern of suspected North Korean targeting of software developers stretching back to at least 2022, which includes campaigns tracked under the names TraderTraitor, Jade Sleet, AppleJeus, and Citrine Sleet, as well as the Contagious Interview cluster. While UNK_DeadDrop shares the fake-job social engineering pretext with Contagious Interview, Proofpoint identified no direct telemetry overlap between the two clusters and tracks them separately. The noted distinctions — email-first delivery, no fake interview stage, self-contained Overlord-based payload, industrialized repository creation at scale, and the novel VSIX persistence technique — suggest either a new subordinate unit within the broader Lazarus organizational structure or a parallel DPRK-affiliated group that has independently adopted and refined the developer-targeting playbook. Proofpoint's characterization of the activity as representing 'maturing and evolving' North Korean operations reflects a concern that the industrialization of this attack pattern is increasing the volume and efficiency of compromise attempts across the global developer population.","heading":"Relationship to Prior DPRK Developer-Targeting Campaigns","severity":"high","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korea-linked hackers target developers via GitHub — SecurityBrief","type":"news_article","url":"https://securitybrief.com.au/story/north-korea-linked-hackers-target-developers-via-github"},{"credibility":2,"name":"North Korean hackers are at it again — phishing scheme targets hundreds of workers — TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/north-korean-hackers-are-at-it-again-phishing-scheme-targets-hundreds-of-workers-to-try-and-steal-crypto-and-more"}]},{"content":"The UNK_DeadDrop campaign represents a direct and ongoing threat to cryptocurrency organizations and the individual developers who build, maintain, or audit blockchain-adjacent software. The combination of email-delivered lures, trusted code-hosting platforms (GitHub, GitLab), legitimate editor features (VS Code workspace tasks, Cursor auto-execution), and a cross-platform malware framework capable of draining both software-managed and hardware-wallet-adjacent credentials creates a high-yield threat surface. Because the attack requires only that a developer open a cloned repository folder — a routine act in any technical assessment or code-review workflow — the social-engineering barrier is exceptionally low. Organizations in the cryptocurrency sector are advised to treat unsolicited coding assignment requests or peer code-review invitations with heightened suspicion, to audit VS Code extension installations and workspace task configurations, and to enforce restrictions on automatic task execution in editor settings.","heading":"Risk to Cryptocurrency Firms and Developers","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/north-korea-aligned-hackers-abuse-github-repositories/"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"}]}],"sources_used":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":1,"name":"Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":2,"name":"North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/north-korea-aligned-hackers-abuse-github-repositories/"},{"credibility":2,"name":"North Korean hackers are at it again — phishing scheme targets hundreds of workers to try and steal crypto and more — TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/north-korean-hackers-are-at-it-again-phishing-scheme-targets-hundreds-of-workers-to-try-and-steal-crypto-and-more"},{"credibility":2,"name":"Suspected North Korean actors use fake coding assignments to steal crypto — SC Media","type":"news_article","url":"https://www.scworld.com/news/suspected-north-korean-actors-use-fake-coding-assignments-to-steal-crypto"},{"credibility":2,"name":"North Korea-linked hackers target developers via GitHub — SecurityBrief","type":"news_article","url":"https://securitybrief.com.au/story/north-korea-linked-hackers-target-developers-via-github"}],"summary":"UNK_DeadDrop is a suspected North Korea-aligned threat actor campaign disclosed by Proofpoint on June 8, 2026, in which attackers sent more than 250 phishing emails to software developers at approximately 100 organizations — with a heavy focus on cryptocurrency firms — over a six-week period in April and May 2026. Victims were directed to actor-controlled GitHub and GitLab repositories disguised as coding assignments or code-review projects; opening these repositories silently deployed cross-platform malware including the Go-based Overlord remote-access framework and malicious VS Code extensions (VSIX) capable of stealing browser credentials, cryptocurrency wallets, and API tokens. Proofpoint tracks UNK_DeadDrop as a distinct cluster from the previously documented Contagious Interview / Lazarus campaigns, noting industrialized repository creation and an email-first delivery model as differentiating characteristics.","timeline":[{"date":"2026-04-01","event":"Campaign start (approximate): UNK_DeadDrop begins sending phishing emails to developers using fake job-offer and code-review pretexts, directing targets to malicious GitHub and GitLab repositories.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-04-01","event":"Impersonation of at least seven legitimate companies including Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish observed in lure emails.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-05-31","event":"Campaign end (approximate): more than 250 phishing emails sent across approximately 100 organizations in a six-week window spanning April and May 2026.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-06-08","event":"Proofpoint publicly discloses the UNK_DeadDrop campaign in a detailed threat-insight blog post, describing the Overlord framework, VSIX persistence technique, and cross-platform malware chain.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-06-08","event":"The Register, Infosecurity Magazine, CybersecurityNews, TechRadar, and SC Media publish coverage of the Proofpoint disclosure, amplifying awareness to the security and developer communities.","source":"The Register","source_url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision d987b38b-e25f-4b15-8f87-90ba44e6d0bb

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.