- North Korean hackers used shell companies to target crypto developers with malware attacks.
- BlockNovas and SoftGlide were set up using fake identities, violating U.S. and U.N. sanctions.
- The operation aimed to steal wallet credentials by offering fake job interviews.
North Korean hackers have taken a new approach in targeting the cryptocurrency sector, using U.S.-based companies as cover. According to researchers from Silent Push, a cybersecurity firm, hackers linked to the Lazarus Group legally registered two shell companies in the United States. These entities were used to deploy malware against unsuspecting cryptocurrency developers.
The companies, BlockNovas LLC and SoftGlide LLC, were registered in New Mexico and New York using fake names and addresses. A third group, Angeloper Agency, was linked to the operation but not registered in the U.S. BlockNovas listed a vacant lot in South Carolina as its address. SoftGlide was registered using the name of a small tax office in Buffalo, New York.
Silent Push said the operation targeted crypto developers with fake job offers. These offers were designed to trick victims into downloading malware. The malware was designed to steal crypto wallet credentials and developer passwords, which could be used in further attacks. The campaign reportedly used three strains of malware: BeaverTail, InvisibleFerret, and OtterCookie, all of which were previously tied to North Korean cyber operations.
Researchers believe these hackers are part of a subgroup within the Lazarus Group. This elite hacking unit operates under the Reconnaissance General Bureau, North Korea’s main intelligence agency. The FBI has not commented directly on the companies, but it seized BlockNovas’ domain this week.
A seizure notice now appears on the BlockNovas website. It states North Korean cyber actors used the domain to deceive job seekers and distribute malicious code. The FBI said it is committed to holding not just the hackers accountable but also anyone who helps enable their attacks. Silent Push, which identified multiple victims linked to the BlockNovas campaign, described it as the most active front among the three.
Related: Lazarus Group Makes $2.51M Profit from $WBTC Sale: Report
North Korea’s mission to the United Nations has yet to respond to the allegations. U.S. sanctions ban all North Korean commercial activity within the country, while such operations also breach U.N. sanctions prohibiting support for North Korea’s government or military.
Officials said the companies were properly registered through official online channels. However, state offices had no way of knowing their connection to North Korea. The discovery signals a dangerous shift in how nation-state hackers operate, now working from within U.S. borders to breach the crypto industry.
