North Korean hackers, linked to the notorious Lazarus Group, have once again demonstrated their cunning tactics by creating fake U.S.-based companies to target cryptocurrency developers with malware. According to a report by cybersecurity firm Silent Push, the hackers established three shell companies—two registered in the U.S.—to orchestrate a sophisticated campaign aimed at compromising crypto wallets and stealing sensitive credentials.
The Deceptive Setup: Fake Companies as Trojan Horses
The Lazarus subgroup, known as Contagious Interview, was behind the operation. They created BlockNovas LLC and SoftGlide LLC , which were registered in New Mexico and New York, respectively, along with a third entity, Angeloper Agency, which is not U.S.-based. These companies served as fronts for distributing malware through fake job interview lures targeting cryptocurrency developers.
Domains such as lianxinxiao[.]com , blocknovas[.]com , and apply-blocknovas[.]site were used to host malicious operations. Silent Push researchers revealed that the hackers employed AI-generated employee profiles and fabricated addresses to lend credibility to these fake entities. This level of sophistication highlights the group’s ability to exploit advanced technologies like AI to enhance their deception.
The Modus Operandi: Job Offers as Cyber Weapons
The primary objective of these fake companies was to deliver malware to unsuspecting cryptocurrency developers. By posing as legitimate employers, the hackers lured job seekers into downloading malicious software disguised as job application materials. Once installed, the malware compromised victims’ systems, granting attackers access to crypto wallets and sensitive data.
This tactic aligns with Lazarus’s history of using fake job postings as an attack vector. One of their most infamous exploits occurred in 2021, when a fake job offer led to the Axie Infinity Ronin Bridge hack, resulting in the theft of $625 million in ETH and USDC. Similarly, in 2022, they executed the Horizon Bridge hack, stealing $100 million from Harmony’s systems.
Since 2017, Lazarus has reportedly stolen over $3 billion in cryptocurrency, according to estimates from the U.N. and Chainalysis. A significant portion of these funds has been acquired through job-based attacks, underscoring the effectiveness of this strategy.
Why Cryptocurrency Developers Are Prime Targets
Cryptocurrency developers are particularly vulnerable because they often possess access to critical infrastructure, including blockchain networks and private keys. Compromising these individuals allows hackers to infiltrate entire systems, facilitating large-scale thefts. Additionally, the decentralized and pseudonymous nature of cryptocurrencies makes it challenging to trace stolen funds, making them an attractive target for state-sponsored groups like Lazarus.
Lessons for the Crypto Community
This latest revelation serves as a stark reminder of the evolving threats facing the cryptocurrency industry. Developers and job seekers must remain vigilant when engaging with unfamiliar companies or downloading files during the hiring process. Employers should also implement robust cybersecurity measures to protect their teams and systems from similar attacks.
From our perspective as a crypto-focused website, the rise of AI-generated personas and fake companies highlights the need for greater awareness and education within the community. By staying informed and adopting proactive security practices, we can collectively mitigate the risks posed by groups like Lazarus.
