Lazarus Group’s Operation 99 Targets Web3 Developers with Fake LinkedIn Profiles and Malware

Operation 99, a recent cyberattack effort that targeted software engineers seeking freelancing Web3 and cryptocurrency employment, was attributed to the North Korea-affiliated Lazarus Group. The group’s goal was to distribute malware.

As stated in a recent research released today, “The campaign starts with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews,” said Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at Security Scorecard.

“A victim is led to clone a malicious GitLab repository ostensibly innocuous, yet rife with catastrophe after falling for the lure. The cloned code embeds malware into the victim’s environment by connecting to command-and-control (C2) servers.

Campaign victims have been found all over the world, with Italy accounting for a sizable portion of the total. Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the United Kingdom, and the United States have fewer affected victims.

The campaign is named after the infected artifacts with version identifiers marked “pay99.” Although it lacks specific victimology information, SecurityScorecard tells The Nohack that the attackers had been successful in convincing the targeted developers to run the repository contents.

The cybersecurity company claimed that the effort, which it uncovered on January 9, 2025, focuses specifically on targeting developers working in the Web3 and cryptocurrency domains and expands on job-themed strategies SecurityScorecard previously seen in Lazarus assaults like Operation Dream Job (also known as NukeSped).

“This tactic continues to be effective because North Korean threat actors are constantly evolving their methods, making their job-themed lures increasingly sophisticated and authentic,” Sherstobitoff told the newspaper.

“They can create incredibly realistic circumstances that trick even watchful people by utilizing technological innovations like AI-generated profiles and realistic communication tactics. These strategies are constantly being improved, which increases their capacity to take advantage of people’s curiosity and trust.

Operation 99 is distinct because it lures developers with coding assignments as part of a complex hiring process that includes creating false LinkedIn accounts that are used to redirect developers to rogue GitLab repositories.

Deploying data-stealing implants that can retrieve cryptocurrency wallet keys, source code, secrets, and other private information from development environments is the ultimate objective of the attacks.

These include Main5346 and its variant Main99, which serves as a downloader for three additional payloads –

• Payload99/73 (and its functionally similar Payload5346), which collects system data (e.g., files and clipboard content), terminates web browser processes, executes arbitrary, and establishes a persistent connection to the C2 server
• Brow99/73, which steals data from web browsers to facilitate credential theft
• MCLIP, which monitors and exfiltrates keyboard and clipboard activity in real-time

“By compromising developer accounts, attackers not only exfiltrate intellectual property but also gain access to cryptocurrency wallets, enabling direct financial theft,” the business stated. “The targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering the Lazarus Group’s financial goals.”

Because of its modular design, the malware architecture is adaptable and can operate on Linux, macOS, and Windows. It also draws attention to how dynamic and ever-changing nation-state cyber threats are. “For North Korea, hacking is a revenue-generating lifeline”