North Korea-linked hacking group Lazarus is reportedly using a new malware strain called OtterCookie to target people working in crypto and finance.
According to a June 6 alert posted on X by web3 security firm SlowMist, the group is reportedly using fake job interviews, deepfake recruiter videos, and malware-laced coding challenges to deliver the stealer malware. OtterCookie can extract browser-stored credentials, macOS Keychain passwords, digital certificates, and private keys from crypto wallets.
It enables attackers to quietly steal confidential data from targeted systems, especially macOS machines. The tactic is gaining traction as attackers rely less on large-scale exploits and more on highly targeted, social-engineering-based methods.
The latest malware appears to be part of Lazarus Group’s continuous efforts to penetrate the cryptocurrency industry. The group was responsible for February’s historic $1.5 billion Bybit hack, in which they obtained cold wallet signers through social engineering and spear phishing.
In recent months, Lazarus has also launched npm package attacks aimed at developer environments and wallet infrastructure, including Solana (SOL) and Exodus. In April, the FBI and cybersecurity firm Silent Push seized a fake website used by Lazarus, known as “Blocknovas,” which posed as a U.S.-based tech company to deliver malware through job scams.
According to SlowMist, crypto professionals should exercise caution when responding to unsolicited job or investment offers, particularly if they require downloading files or participating in video calls with strangers. Users should improve endpoint detection and response, refrain from running unknown binaries, and routinely check systems for unusual activity.
So far this year, the crypto industry has taken the heaviest hit as a result of high-profile hacks. Q1 losses amounted to more than $1.6 billion, and the trend seems to be continuing. PeckShield estimates that losses from hacks totaled $244.1 million in May. Two significant events were the $220 million Cetus Protocol hack and another $12 million Cork Protocol exploit.
