Ondo Finance A.I CyberSecurity Scoring
Ondo Finance
Company Information
Website:https://ondo.finance
Employees number:116
Number of followers:33,731
NAICS:52
Industry Type:Financial Services
Homepage:ondo.finance
Ondo Finance Risk Score (AI oriented)
Between 700 and 749
Ondo FinanceFinancial Services
Updated:
08/06/2026
08/06/2026
735/1000
Moderate
Ba
Ondo Finance Global Score (TPRM)
xxxx
Ondo FinanceFinancial Services
Score locked

Ondo FinanceModerate
Current Score
735Ba (MODERATE)
01000
1 incidents
-21 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
735
JUNE 2026
735
MAY 2026
734
APRIL 2026
754
Cyber Attack
01 Apr 2026 • Ondo Finance
NXLog, OnePlan, Hypen Connect, Empower Pharmacy, Valon and Ondo Finance: Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto
North Korean-Linked Phishing Campaign Targets Developers in Credential and Crypto Theft Scheme (UNK_DeadDrop)
733
CRITICAL-21
ONENXLHYPINOONDEMP1780957588
North Korean-Linked Phishing Campaign Targets Developers in Credential and Crypto Theft Scheme
A newly identified phishing campaign, tracked as UNK_DeadDrop and suspected to be linked to North Korea, has targeted over 250 individuals across nearly 100 organizations primarily in the U.S. between April and May 2024. The operation, uncovered by Proofpoint threat researchers, aims to steal developer credentials and cryptocurrency wallets through deceptive job offers and code review requests.
### Attack Methodology
The campaign begins with unsolicited emails spoofing legitimate companies, including Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish. These messages offer fake roles such as "Full-Stack Engineer" or "Agent Lead Developer" and direct victims to malicious GitHub repositories disguised as coding assignments or cryptocurrency projects.
In May, the attackers shifted tactics, sending peer-review requests for open-source projects under the guise of companies like Pulsynk and Trixauvex, or soliciting Ethereum smart contract testing via Foundry. When victims open the repositories in VS Code or Cursor, a pre-configured task executes, deploying cross-platform malware on Windows, macOS, and Linux.
### Malware Execution & Payloads
- Linux & macOS: The malware uses a Go-based backdoor derived from the Overlord C2 framework, a legitimate red-team tool repurposed for malicious use. It includes modules for:
- Browser credential theft (Chrome, Firefox, and Chromium-based browsers).
- Cryptocurrency wallet exfiltration (MetaMask, Phantom, Exodus, Ledger Live, etc.).
- Anti-forensic cleanup to remove traces.
On macOS, the malware displays a fake system password prompt to escalate privileges, while on Linux, it uses Zenity for credential harvesting.
- Windows: The attack runs as JavaScript within VS Code’s Electron process, targeting 35 wallet extensions, 18 standalone wallets, and browser profiles. It installs Python-based stealers to extract credentials, cookies, and encrypted browser data, then exfiltrates them to attacker-controlled servers.
### Infrastructure & Evolution
Unlike previous North Korean-linked campaigns (e.g., Contagious Interview), UNK_DeadDrop relies on email-based phishing rather than social media, suggesting a scaled, industrialized approach. The attackers maintain distinct infrastructure, using GitHub repositories themed around cryptocurrency, exploits, AI payments, and Foundry testing to lure victims.
### Impact & Implications
The campaign highlights North Korea’s evolving cybercrime tactics, shifting from high-touch social engineering to large-scale phishing for financial gain. The use of legitimate tools (Overlord, Foundry, GitHub) and cross-platform malware underscores the growing sophistication of state-aligned threat actors targeting developers, financial services, and tech firms.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
754
FEBRUARY 2026
754
JANUARY 2026
754
DECEMBER 2025
754
NOVEMBER 2025
754
OCTOBER 2025
754
SEPTEMBER 2025
754
AUGUST 2025
754
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Ondo Finance ??
What was Ondo Finance's A.I Rankiteo Cyber Score in June 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in May 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in April 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in March 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in February 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in January 2026 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in December 2025 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in November 2025 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in October 2025 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in September 2025 ??
What was Ondo Finance's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Ondo Finance's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Ondo Finance ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Ondo Finance's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?