Web3

North Korea-Linked Hackers Target Web3 and Open Source Leaders

TrendWatcher AI (Enhanced)·47d ago·neutral

Most covered nowLIVEsee all →

TeslatechHot20 stories GoogletechHot20 stories MicrosofttechHot20 stories NvidiatechHot20 stories AppletechHot20 stories LitecoincryptoHot20 stories ChainlinkcryptoHot20 stories Artificial IntelligencetechHot20 stories

North Korean-linked hackers are using sophisticated social engineering to target crypto executives and open source maintainers to compromise supply chains.

A North Korea-linked hacking group, identified by researchers as BlueNoroff, has launched a large-scale social engineering campaign targeting over 100 cryptocurrency organizations across 20 countries [1]. The attackers, who are also believed to be behind a recent compromise of the popular Axios JavaScript library, employ long-term, high-effort deception tactics to gain access to the systems of high-value targets, including CEOs, founders, and software maintainers [1, 2].

Key takeaways

BlueNoroff, a subgroup of the Lazarus Group, has targeted crypto and blockchain finance sectors, with 45% of identified victims being CEOs or founders [1].
The attackers utilize a "slow-burn" social engineering approach, often spending weeks building trust through fake meetings and professional-looking Slack workspaces before deploying malware [1, 2].
A recent attack on the Axios NPM package involved compromising a lead maintainer’s account to distribute a remote access Trojan (RAT) to developers [2].
The threat actors maintain a "self-sustaining deepfake pipeline" that uses exfiltrated webcam footage and AI-generated imagery to create convincing fake meeting content [1].
Once a target’s device is compromised, attackers can bypass two-factor authentication (2FA) and gain unilateral control over the system [2].

Sophisticated Deception and Technical Exploits

The campaign, which Arctic Wolf Labs researchers attributed to BlueNoroff with "high confidence," relies on a multi-stage execution chain [1]. In one instance, attackers used a typosquatted Zoom link delivered via a fake Calendly invite to compromise a North American cryptocurrency company [1]. Upon clicking the link, victims were presented with a fake interface that exfiltrated their live camera feed while simultaneously deploying a clipboard injection attack [1]. This access allowed the group to remain in targeted systems for an average of 66 days, focusing on extracting information from cryptocurrency wallet extensions [1].

This playbook of patient, personalized deception was also observed in the compromise of the Axios open-source library [2]. In that case, the attacker impersonated a company founder and invited the maintainer to a legitimate-looking Slack workspace [2]. After weeks of interaction, the maintainer was prompted to install a "missing file" during a Microsoft Teams call, which turned out to be a remote access Trojan [2]. Security researchers note that these attackers avoid traditional "one-click" phishing, instead choosing to reschedule meetings and engage in normal professional discourse to disarm their targets [2].

Why it matters

The shift in tactics represents a significant evolution in the threat landscape, as attackers move beyond targeting individual crypto wallets to compromising the software supply chain [2]. By targeting open-source maintainers, hackers can gain write access to packages downloaded millions of times per week, exponentially increasing the "blast radius" of their operations [2]. Experts suggest that the convergence of AI-lowered costs for building trust and the high-value nature of these targets has made this industrialized form of social engineering a primary focus for the North Korean regime, which has been linked to such operations since at least 2014 [1, 2].

Keep reading

Web3Onxbit expands wallet‑centric trading platform with ONX Web3TrendWatcher AI (Enhanced) · 13d ago Web3Pi Network completes Protocol 21 upgrade, boosting mainnet readinessTrendWatcher AI (Enhanced) · 14d ago Web3KARPAK and LETSBURN Integrate Fitness With DePIN TechnologyTrendWatcher AI (Enhanced) · 15d ago Web3UAE Strikes on Iran Backed by US and IsraelTrendWatcher AI (Enhanced) · 15d ago Web3Mastercard Secures New York BitLicense for Stablecoin StrategyTrendWatcher AI (Enhanced) · 15d ago Web3Crypto Market Trends and Investment Strategies for 2026TrendWatcher AI (Enhanced) · 15d ago

Coming upLIVEsee all →

JUN 15 · all day UTCcryptoStarknet Token Unlock JUN 16 · all day UTCcryptoArbitrum Token Unlock JUN 17 · all day UTCcryptoApeCoin Token Unlock JUN 17 · all day UTCcryptozkSync Token Unlock JUN 17 · 18:00 UTCmacroFOMC Rate Decision

Across the coverage

Coverage is mostly measured — 64 of 80 reports stay neutral.

Bullish 5

Neutral 64

Bearish 11

The Catalyst Brief

Know what’s about to move the market.

Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.

Free · 3-min read · one-click unsubscribe

Synthesized from 2 sources

AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 2 outlets · Jun 3, 2026 ·

Published

Apr 27, 2026, 07:00 AM

Source

TrendWatcher AI (Enhanced)

Frequently asked · Web3

What is Web3?

Web3 is a trending topic in the news. Recent coverage of Web3 includes: Onxbit Expands ONX Web3 Trading Infrastructure, Connecting Crypto Markets with Global Digital Asset Opportunities - Macau Business.

Why is Web3 trending today?

10 news sources analyzed

What is the current sentiment on Web3?

Based on our analysis of recent news articles, Web3 has mixed coverage. Check the sentiment score above for detailed analysis.

Where can I get the latest Web3 news?

TrendWatcher aggregates Web3 news from 100+ trusted sources and provides AI-powered sentiment analysis updated in real-time.

Explore More

Ethereum Bitcoin OpenAI Tesla Fed Rates Layer 2 Scaling