North Korea’s State-Run “Lazarus” Cybercrime Org Victimizes Coinbase Job-Hunters with Advanced Phishing Attack

The News: North Korea’s state-backed cybercrime workforce (aka Lazarus) just can’t quit its pet-approach to phishing attacks; Posting bogus opportunities on job boards – this time targeting would-be employees for the crypto giant Coinbase. For their part, Apple, whose M1 chips were vulnerable to the attacks, took swift action to revoke the certificate which enabled the malware to execute.

Cybersecurity software producer ESET first sounded the alarm on Twitter after their research arm learned that a Mac executable disguised as a job opportunity had been uploaded to VirusTotal. Read more about the threat from DarkReading.

With Coinbase Scam, Lazarus Takes Aim at Tech Savvy Job Seekers

Coinbase Scam Tweet

Read the full thread on Twitter

Analyst Take: ESET’s research arm has been closely watching the Pariah state’s Operation In(ter)ception since early 2020 when it found evidence of attacks against military and aerospace companies. At the time they produced an extensive white paper on the topic and concluded that North Korea’s main goal for the malware was espionage. The group was already placing a file titled “Interception.dll” to draw in victims with completely fabricated, though convincing, job opportunities via LinkedIn and other popular job-search sites.

According to ESET’s Twitter thread, the newest iteration of Operation In(ter)ception malware can penetrate both Intel and Mac Silicon. The cybersecurity giant warned of three files left by the malware: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app, and a downloader safarifontagent. The Twitter thread goes on to break down each element of the program and how they work together to gain access and information.

It may seem ironic that folks who are seeking positions at a large tech company would be so easily victimized by a phishing expedition, but there’s a method to the madness.

Apple Closed a Major Loophole OSX Users but the Threat Remains Active

In order to hoodwink relatively tech-savvy job seekers, it’s likely that the attackers were in direct contact with their victims, Peter Kalnai, a senior malware researcher for ESET, told DarkReading. “The victim was probably instructed to click whatever popup windows showed up in order to see the ‘dream job’ offer from Coinbase.”

“The certificate has been revoked, so it’s not possible to execute it until the user adds it to allowed applications,” continued Kalnai, stating that Mac users running OSX Catalina or later now had some level of protection from the malware’s current iteration. But before you breathe too easy, consider Kalnai’s description of the advanced nature of Lazarus operations: “This remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution.”

Government Cybersecurity Experts Keep Cautious Eye on Lazarus’ Rapid Growth

Kalnai isn’t alone in his concern. Former White House Senior Director of Cybersecurity Policy, Andrew Grotto, who held the role in both the Obama and Trump administrations and now directs Stanford’s Center for International Security and Cooperation also escalated the alarm, warning that North Korea’s ability to execute high-level cyberattacks had very quickly gone from an “aspiring antagonist” to successfully positioning itself as “a [if not the] top, cyber operators when it comes to high-end potential crimes.”

Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.

Other insights from Futurum Research:

Microsoft Issues Warning on Large Scale Phishing-as-a-Service Operation 

TeleSign Silent Verification Service Launches, Designed to Reduce Multi-Factor Authentication Headaches for Mobile Users

Google’s Cybersecurity Efforts to Include Mobile Devices as Security Keys

Image Credit: Phys.org

Author Information

Shelly Kramer is a serial entrepreneur with a technology-centric focus. She has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation.

Related Insights
Can Anthropic's GRAM 'Off Switch' Make Dual-Use AI Safer Without Killing Utility?
July 10, 2026

Can Anthropic’s GRAM ‘Off Switch’ Make Dual-Use AI Safer Without Killing Utility?

Anthropic and AE Studio introduced GRAM, enabling selective removal of sensitive AI capabilities without retraining, potentially addressing privacy and security concerns for organizations adopting generative AI....
Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?
July 10, 2026

Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?

Exprivia announced partnership with ABI's WeSec summit as Main Partner, aligning with surging demand for cybersecurity and AI solutions across Italian banking. The move positions the company to capitalize on...
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....
ServiceNow and Accenture Bet on Migration to Win Enterprise Risk
July 7, 2026

ServiceNow and Accenture Bet on Migration to Win Enterprise Risk

Fernando Montenegro, VP at The Futurum Group, examines the ServiceNow and Accenture cybersecurity offering, and why its AI-powered migration and the Armis acquisition point to a bid to become the...
Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up
July 4, 2026

Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up

Qodo's 'Compliance as Code' framework automates enterprise AI compliance through PR checks, solving the data privacy and security gaps that plague manual reviews at scale....
Brave's Browser Containers Raise the Bar for Privacy and Workflow Flexibility
July 3, 2026

Brave’s Browser Containers Raise the Bar for Privacy and Workflow Flexibility

As AI platform adoption accelerates to $181.3B projected market size, Brave's v1.92 release introduces native browser containers addressing data privacy concerns for 52.6% of enterprise decision makers managing multi-cloud AI...

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.