Hackers suspected of belonging to the North Korea-linked Lazarus Group used a new kind of malicious JavaScript to steal digital money from online retailers that accept cryptocurrencies for payment, security firm Group-IB warned in a report this week.

The hackers planted the code in online shopping websites, some of which had already been infected with so-called skimming malware that steals credit card information from customers. Group-IB researchers called the campaign “BTC Changer” — and payments made to retailers went to Lazarus’ cryptocurrency wallets instead.

“BTC Changer marks the first time that a threat actor used malicious