According to a recent report by cybersecurity firm Cisco Talos, hackers linked to North Korea delivered malicious JavaScript via a fake cryptocurrency application and an npm package.
The malware, which has been dubbed "OtterCookie/BeaverTrail," is capable of stealing keystrokes, clipboard content, screenshots and browser wallets of the likes of Metamask.
Modus operandi
A potential victim is typically lured with a bogus job or freelance gig. The attacks install malware with the help of an obfuscated JavaScript payload and collect sensitive data. The stolen files then get uploaded to the attacker's servers.
Notably, the hackers use a crypto app as bait, so they are specifically targeting those users who already have crypto wallets on their computers.
Immediate action
Those who think that they were exposed to the attack should assume that their hot wallets were compromised.
Attackers typically steal extension files and passwords together with seed phrases to drain wallets.
One should immediately start moving funds and revoke token approvals for old wallets that were potentially hacked.
It would also be advisable to wipe and reinstall the operating system.
In order not to fall victim to hackers in the first place, one should refrain from running code from untrusted sources. They can be run via containers or VMs.
$2 billion worth of stolen crypto
Earlier this month, TechCrunch reported that North Korean hackers had already stolen roughly $2 billion worth of crypto this year.
The report, which cites data from blockchain sleuth Elliptic, says that the total amount of crypto stolen by the "Hermit Kingdom" currently stands at $6 billion.
Dan Burgin
Vladislav Sopov
U.Today Editorial Team