Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99

The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware.
"The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard, said in a new report published today.
"Once a victim takes the bait, they're directed to clone a malicious GitLab repository – seemingly harmless, but packed with disaster. The cloned code connects to command-and-control (C2) servers, embedding malware into the victim's environment."
Victims of the campaign have been identified across the globe, with a significant concentration recorded in Italy. A lesser number of impacted victims are located in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S.
The cybersecurity company said the campaign, which it discovered on January 9, 2025, builds on job-themed tactics previously observed in Lazarus attacks, such as Operation Dream Job (aka NukeSped), to particularly focus on targeting developers in Web3 and cryptocurrency fields.
What makes Operation 99 unique is that it entices developers with coding projects as part of an elaborate recruitment scheme that involves crafting deceptive LinkedIn profiles, which are then used to direct them to rogue GitLab repositories.
The end goal of the attacks is to deploy data-stealing implants that are capable of extracting source code, secrets, cryptocurrency wallet keys, and other sensitive data from development environments.
These include Main5346 and its variant Main99, which serves as a downloader for three additional payloads -
- Payload99/73 (and its functionally similar Payload5346), which collects system data (e.g., files and clipboard content), terminate web browser processes, executes arbitrary, and establishes a persistent connection to the C2 server
- Brow99/73, which steals data from web browsers to facilitate credential theft
- MCLIP, which monitors and exfiltrates keyboard and clipboard activity in real-time
"By compromising developer accounts, attackers not only exfiltrate intellectual property but also gain access to cryptocurrency wallets, enabling direct financial theft," the company said. "The targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering the Lazarus Group's financial goals."
The malware architecture adopts a modular design and is flexible, and capable of working across Windows, macOS, and Linux operating systems. It also serves to highlight the ever-evolving and adaptable nature of nation-state cyber threats.
"For North Korea, hacking is a revenue generating lifeline," Sherstobitoff said. "The Lazarus Group has consistently funneled stolen cryptocurrency to fuel the regime's ambitions, amassing staggering sums. With Web3 and cryptocurrency industries booming, Operation 99 zeroes in on these high-growth sectors."
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Free online web security scanner