North Korean Hackers Now Targeting macOS Users in Brazen Crypto Malware Onslaught
Mac users in crypto—you're officially on notice. North Korea's cybercriminals have pivoted from Windows exploits to sophisticated macOS attacks, hunting digital asset firms with surgical precision.
How they're breaking in
The malware bypasses Apple's Gatekeeper protections via fake developer certificates—because nothing says 'trustworthy' like a DPRK-signed app. Once inside, it vacuums wallet credentials faster than a degenerate trader chasing leverage.
Why crypto? Same reason banks have vaults
With $2B stolen from DeFi in 2024 alone, hackers treat crypto firms like an all-you-can-steal buffet. Meanwhile, traditional finance still thinks 'blockchain' is a new type of bike lock.
Stay paranoid out there
Update your OS, triple-check downloads, and maybe—just maybe—stop clicking 'allow' on every pop-up. Your cold wallet will thank you.
North Korean hackers responsible
Sentinel Labs has attributed the campaign to a North Korea-aligned threat actor, continuing a pattern of crypto-focused cyberattacks by the Democratic People’s Republic of Korea.
Hacking groups such as Lazarus have long targeted digital asset companies in efforts to bypass international sanctions and fund state operations. Previous operations have seen malware written in Go and Rust, but this campaign marks one of the first major deployments of Nim against macOS targets.
As previously reported by crypto.news, in late 2023, researchers observed another DPRK-linked campaign that deployed a Python-based malware known as Kandykorn. It was distributed through Discord servers disguised as a crypto arbitrage bot and primarily targeted blockchain engineers using macOS.
Sentinel Labs has warned that as threat actors increasingly adopt obscure programming languages and sophisticated techniques, traditional security assumptions around macOS are no longer valid.
Over the past months, several malware strains have targeted Apple users, including SparkKitty, which stole seed phrases via photo galleries on iOS, and a trojan that replaced wallet apps on macOS with a malicious version.
