TLDR

• North Korean hackers created fake US companies (Blocknovas and Softglide) to target crypto developers
• The operation is linked to Lazarus Group and used fake job postings to distribute malware
• Three malware strains were identified: BeaverTail, InvisibleFerret, and Otter Cookie
• AI-generated images were used to create fake employee profiles
• The FBI has seized at least one domain (Blocknovas) as part of law enforcement action

North Korean hackers have established fake companies in the United States as part of a campaign to target and compromise developers in the cryptocurrency industry, according to security firm Silent Push. The operation, revealed on Thursday, shows how these threat actors are evolving their tactics to appear more legitimate while conducting cyber espionage and theft.

Two businesses, Blocknovas and Softglide, were created using fictitious identities and addresses in New York and New Mexico. A third company called Angeloper Agency was also identified as part of the scheme. Security researchers have linked this operation to a subgroup within the Lazarus Group known as “Contagious Interview.”

The North Korean-backed Lazarus Group has stolen billions worth of cryptocurrency in recent years using increasingly complex techniques that target both individuals and companies.

Sophisticated Recruitment Scam

The hackers’ method is both manipulative and effective. They create fake LinkedIn-style profiles and post job listings to attract cryptocurrency developers. During the recruitment process, candidates are tricked into downloading malware disguised as job application tools.

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants,” said Kasey Best, director of threat intelligence at Silent Push.

When victims participate in fake interviews, they encounter an error message when trying to record an introduction video. The solution offered requires users to perform a “click, copy, and paste” action, which then infects their systems with malware.

Silent Push identified multiple victims of the operation. The company found that Blocknovas was the most active of the three front companies. Its listed address in South Carolina appears to be an empty lot, while Softglide was registered through a tax office in Buffalo, New York.

Malware Arsenal and AI Deception

The campaign utilizes at least three different virus strains previously connected to North Korean cyber units. These include BeaverTail, InvisibleFerret, and Otter Cookie.

BeaverTail is primarily designed for information theft and loading additional malware. OtterCookie and InvisibleFerret target sensitive information, including cryptocurrency wallet keys and clipboard data.

The programs can steal data, provide remote access to infected systems, and serve as entry points for additional spyware or ransomware. Security researchers confirmed that at least one victim had their MetaMask wallet compromised.

The hackers also used artificial intelligence to create convincing fake employee profiles. “There are numerous fake employees and stolen images from real people being used across this network,” said Zach Edwards, senior threat analyst at Silent Push.

Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies…

— Zach Edwards (@thezedwards) April 24, 2025

In some cases, the attackers took real photos of actual people and modified them using AI tools to create slightly different versions. This approach makes it harder to detect the fake profiles through reverse image searches.

Law Enforcement Response

The FBI has seized the Blocknovas domain as part of a law enforcement action against these North Korean cyber actors. A notice posted to the site states it was taken down “as part of a law enforcement action against North Korean cyber actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”

However, according to Silent Push, while Blocknovas has been shut down, “Softglide is still live, along with some of their other infrastructure.”

This malware campaign has been ongoing since early 2024. The Lazarus Group is suspected in some of the biggest cyber thefts in the cryptocurrency space, including the Bybit $1.4 billion hack and the $600 million Ronin network hack.

At least three cryptocurrency founders reported in March that they foiled attempts from alleged North Korean hackers to steal sensitive data through fake Zoom calls, showing that these groups continue to adapt their tactics as security awareness increases.

The post North Korean Hackers Use US Shell Companies to Target Crypto Developers appeared first on Blockonomi.