North Korea-linked malware drains crypto

Crypto theft usually sounds like a smart-contract bug or an exchange getting popped. But this story is uglier. The attackers went after the software supply chain — the code developers pull into their own tools — and then went after the one thing that matters most in self-custody: wallet credentials. What changed this week is that researchers tied one of those campaigns to a North Korea-linked cluster and showed how AI-generated code helped the trap get into a real open-source crypto project. (reversinglabs.com) ### What actually got infected? The project was openpaw-graveyard, an open-source autonomous crypto trading agent. ReversingLabs says a February 2026 commit added malicious npm dependencies, including a package it calls PromptMink and another disguised as a normal validator package, @validate-sdk/v2. The point was not sabotage for its own sake. The code was built to leak credentials and open the door to wallet theft and broader system access. (reversinglabs.com) ### Where does Claude fit in? The weird part is that the malicious commit appears to have been generated with Anthropic’s Claude Opus. That does not mean Claude “decided” to hack anyone. It means the attackers used an LLM as a coding tool and got the result merged into a real dependency chain. ReversingLabs’ read is that this group has become good at tricking not just(reversinglabs.com)y-chain attacks. (reversinglabs.com) ### Why would North Korea care about a small code package? Because crypto theft is a state-scale revenue stream for Pyongyang-linked operators. TRM Labs says North Korea-linked hackers were tied to 76% of all crypto hack losses in 2026 through April. The striking part is concentration — just two April attacks, on Drift Protocol and KelpDAO, accounted for about $577 mi(reversinglabs.com)usions, or automate follow-on theft. (trmlabs.com) ### Why is a stolen seed phrase so dangerous? Because a seed phrase is basically the master key to the wallet. If an attacker gets it, they do not need to keep hacking the same device. They can recreate the wallet elsewhere and move funds whenever they want. Security Alliance’s wallet-security guidance is blunt here — if a seed(trmlabs.com). (frameworks.securityalliance.org) ### Can’t the user just reset the wallet? Not in the normal “change your password” sense. That is the catch with self-custody. A compromised seed phrase cannot be un-seen. You can rotate to a new wallet and move assets, but the old wallet should be treated as permanently unsafe. That is why malware aimed at credentials is so effective in crypto — the attackers are not stealing temporary access, they are stealing the root secret. (frameworks.securityalliance.org) ### Why does this feel different from older crypto scams? Older scams often depended on phishing pages or fake support chats. This one also lives upstream, inside development tooling. Think of it like poisoning ingredients before the meal gets cooked. If a malicious package lands in a bot, wallet app, or developer environment, the theft can h(frameworks.securityalliance.org)ckage provenance a lot more important than “don’t click weird links.” (reversinglabs.com) ### So what’s the bottom line? This is not just another crypto hack. It is a reminder that North Korea-linked operators are mixing classic wallet theft with modern software-supply-chain tactics and AI-assisted coding. And in crypto, once the core secret leaks, the damage is not theoretical — the wallet is effectively burned. (reversinglabs.com)