Fake Job Scam “GraphAlgo” Targets Blockchain Developers on Social Media
GraphAlgo Campaign Targets Blockchain Developers with Fake Job Offers
In a recent discovery, researchers at ReversingLabs identified a sophisticated phishing operation aimed at blockchain developers through fake job offers.
This campaign, dubbed GraphAlgo, involves creating the illusion of a legitimate business to lure victims into downloading malware.
According to ReversingLabs, the operation is linked to the North Korea-connected Lazarus Group.
The operation relies on a complex scheme involving fake job postings, official state documents, and manipulated code.
The attackers create fake companies, including one called “veltrix-capital,” which distributes a malicious package called “bigmathutils.”
This package contains a remote access Trojan (RAT) that matches the payload seen in the earlier GraphAlgo campaign.
According to ReversingLabs, the attackers hide malware as release artifacts within GitHub, a popular platform for open-source software collaboration.
They also employ git log rewriting to falsify the development history of code, making it seem like fake employees, Dmytro Buryma and Karina Lesova, contributed to projects over several months, thereby establishing trust among potential victims.
Additionally, the operation uses typosquatting, creating a fake GitHub account that resembles that of a genuine developer, Jordan Harband.
This tactic aims to mislead developers into trusting the fake account and executing malicious code.
ReversingLabs initially reported the GraphAlgo campaign in February 2026, indicating it had been active since at least June 2025.
Despite improvements in the attackers’ methods, the campaign continued to operate until late 2025.
The researchers advise developers to exercise caution when running code for job tests, suggesting the use of a sandbox environment as a defense mechanism.