North Korean hackers target users of top Ethereum wallet MetaMask

Published: 16 February 2026
People stand by a MetaMask billboard in Times Square in New York City.
Image by Noam Galai/Getty Images

North Korean criminals are now more aggressive and effective in their attempts to target users of the most popular ethereum (ETH) wallet, MetaMask, new research has shown, detailing how the attackers operate.

Cybersecurity researcher Seongsu Park published a report on the Contagious Interview campaign, allegedly orchestrated by North Koreans and targeting people in the cryptoasset and AI industries.

In the Contagious Interview campaign, threat actors are attempting to spread malware while conducting fake job interviews. Now, they are using new techniques designed to steal sensitive data and, subsequently, funds from their victims.

ADVERTISEMENT

According to Park, while the criminals use two primary malware families, BeaverTail and InvisibleFerret, the BeaverTail variant "remains one of the most actively deployed malware tools" by Democratic People's Republic of Korea (DPRK)-affiliated threat actors stealing funds.

What’s more, the researcher found that the tools used by the criminals are being constantly updated. By incorporating manipulation of the MetaMask wallet extension, they have made this threat campaign more aggressive and effective in stealing cryptoassets.

In a technical breakdown, the researcher explained that after the initial steps, criminals deploy a script designed to manipulate the victim’s MetaMask wallet.

"The malware specifically targets the MetaMask cryptocurrency wallet extension, modifying browser configuration files to inject attacker-controlled code that intercepts wallet’s key," Park said.

He found that, while the MetaMask extension contains thousands of lines of code, the criminals inject a minimal number of lines to lower detection.

The trojanized MetaMask wallet then allows the attackers to capture the master password when the victim unlocks the wallet, and after a few additional steps, they obtain seed phrases and use them to steal the funds.

ADVERTISEMENT

"Great analysis here. Super relevant for anyone building extensions used by people routinely targeted by DPRK," Taylor Monahan, security expert and researcher at MetaMask, reacted, adding that criminals "will always find new ways to abuse your product and circumvent any controls you have in place."

"If you don’t care enough to stop them, they will undermine everything [you’re] trying to achieve," Monahan emphasized, urging teams to keep improving their products and operations.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT