From primitive crypto theft to sophisticated AI-based deception

Nov. 10, 2025, 12:05 p.m.

Description

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group has evolved to include more sophisticated tools like TsunamiKit and AkdoorTea. There are connections between DeceptiveDevelopment and North Korean IT worker fraud campaigns, with both groups collaborating and sharing information. The IT workers use AI-generated fake identities and employ proxy interviewers to secure remote jobs, posing risks to employers. This hybrid threat combines traditional fraud with cybercrime, blurring the lines between targeted APT activity and cybercrime.

Tags
malware
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
identity theft
invisibleferret
ottercookie
job scams
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
2025-11-09
it worker fraud
ai-based deception

Date

  • Created: Nov. 9, 2025, 4:31 a.m.
  • Published: Nov. 9, 2025, 4:31 a.m.
  • Modified: Nov. 10, 2025, 12:05 p.m.

Indicators

  • n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
Download all indicators here!

Attack Patterns

  • AkdoorTea
  • PostNapTea
  • TsunamiKit
  • WeaselStore
  • Tropidoor
  • OtterCookie
  • BeaverTail
  • InvisibleFerret
  • DeceptiveDevelopment

Additional Informations

  • Technology
  • Finance
  • Albania
  • Poland
  • France
  • Ukraine
  • United States of America