North Korean hackers linked to the state’s notorious Lazarus Group have successfully set up shell companies within the United States to distribute malware to cryptocurrency developers, in a scheme that violates US sanctions and exposes major vulnerabilities in business registration systems.
According to Reuters, cybersecurity firm Silent Push revealed that two companies—Blocknovas LLC in New Mexico and Softglide LLC in New York—were formed using falsified names, addresses, and documentation, which helped North Korean actors pose as legitimate employers offering jobs in the crypto industry. A third entity, Angeloper Agency, has also been linked to the campaign but has not been registered in the country.
Scam Job Offers, Empty Lots, and Malware
Silent Push attributed the operation to a subgroup within the Lazarus Group, a state-sponsored hacking unit operating under North Korea’s Reconnaissance General Bureau. The group is known for its role in high-profile cyber thefts and espionage activities.
In this campaign, the hackers used fake professional profiles and job postings to approach developers, primarily on platforms such as LinkedIn. Once contact was made, victims were invited to “interviews” where they were encouraged to download malware disguised as hiring software or technical assessments.
Blocknovas was the most active entity, with multiple confirmed victims. Its listed physical address in South Carolina was found to be an empty lot. Meanwhile, Softglide was registered through a Buffalo-based tax preparation service, which further complicated efforts to trace those behind the operations. The malware used included strains previously attributed to North Korean cyber units, capable of data theft, remote access, and further network infiltration.
The FBI has seized the Blocknovas domain, with a notice on its website indicating it was used to deceive job seekers and spread malware.
North Korean Malware Trap
The Lazarus Group has repeatedly exploited fake employment opportunities to deliver malware. For instance, it had launched a cyber campaign called “ClickFix” targeting job seekers in the centralized finance (CeFi) crypto sector. Cybersecurity firm Sekoia recently revealed that the group impersonates companies like Coinbase and Tether to lure marketing and business applicants into fake interviews.
One of Lazarus’s biggest crypto thefts came in 2021, when a bogus job offer led to the $625 million Ronin Bridge hack targeting Axie Infinity.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
