What is the UNK_DeadDrop crypto hacking campaign?

UNK_DeadDrop is a suspected North Korean-linked cyber campaign that targeted software developers with fake coding assignments. According to Proofpoint, the operation used malicious GitHub and GitLab repositories to steal cryptocurrency wallet data, passwords and login credentials.

How many organisations were targeted by the North Korean hacking campaign?

Proofpoint said the campaign targeted developers at nearly 100 organisations. Most victims were based in the United States and worked in technology, finance, education and cryptocurrency-related industries.

How did the hackers trick developers into installing malware?

The attackers sent phishing emails posing as recruiters, open-source contributors or project collaborators. Victims were asked to download and open coding projects that secretly contained malicious files designed to execute when opened in development tools such as VS Code or Cursor.

Why are cryptocurrency companies a major target for North Korean hackers?

Crypto firms often hold valuable digital assets and sensitive credentials that can be monetised quickly. North Korean-linked groups have repeatedly targeted the crypto sector because successful attacks can generate significant revenue through stolen tokens and wallet access.

Which cryptocurrency wallets were targeted in the campaign?

The malware specifically searched for popular wallets including MetaMask, Phantom, Keplr, Exodus, Electrum and Ledger Live. The attackers also attempted to steal browser-stored credentials, cookies and authentication data.

What makes this attack different from a typical phishing scam?

Instead of directing victims to fake websites, the campaign used seemingly legitimate software development repositories. This approach was designed to exploit trust within the developer community and make the malicious code appear like a genuine coding task or job assessment.

Image for illustrative purposes only. Not a real photo.

North Korean hackers target crypto developers

Written by Brie CarterPublished Jun 9, 2026, 12:36 AM

A suspected North Korean hacking group has targeted software developers at nearly 100 organisations with fake coding assignments designed to steal cryptocurrency holdings and sensitive credentials.

Cybersecurity firm Proofpoint said the campaign, which it tracks as UNK_DeadDrop, sent more than 250 phishing emails during April and May 2026, primarily targeting employees in the technology, education and finance sectors, including cryptocurrency companies.

The emails directed recipients to GitHub and GitLab repositories disguised as job applications, open-source code reviews, blockchain development tasks and artificial intelligence projects.

Researchers found the repositories contained hidden configuration files that automatically executed malicious code when opened in development environments such as VS Code or Cursor, allowing attackers to install malware without requiring significant user interaction.

The malware targeted a wide range of cryptocurrency wallets, including MetaMask, Phantom, Keplr, Exodus, Electrum and Ledger Live, while also attempting to steal browser passwords, cookies and other authentication credentials.

Proofpoint said the operation shared similarities with the North Korean-linked Contagious Interview campaign, which has used fake recruiter approaches to compromise developers and cryptocurrency firms since at least 2022.

“While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster,”

The company said, adding that the campaign's scale and self-contained malware infrastructure distinguished it from previous operations.