A new cybersecurity report has uncovered a covert operation by North Korea’s infamous Lazarus Group, revealing that the state-backed hacking unit established fake U.S. businesses to target cryptocurrency developers with malware. According to findings from Silent Push and reporting by Reuters, the operation involved setting up two fraudulent companies—Blocknovas LLC in New Mexico and Softglide LLC in New York—as fronts to infiltrate the crypto industry.
These shell entities were meticulously crafted to appear legitimate, enabling the attackers to pose as potential employers or business partners. Once contact was initiated, victims were lured into fake job interviews or project discussions, during which the hackers deployed malicious software designed to extract sensitive data, including crypto wallet credentials, authentication keys, and login information.
The campaign marks yet another chapter in Lazarus Group’s increasingly sophisticated efforts to exploit the global crypto economy—both to bypass international sanctions and funnel illicit funds back into the North Korean regime.
FBI Seizes Websites Involved in the Phishing Scam
The FBI has since seized the web domain tied to Blocknovas as part of its broader crackdown on state-sponsored cyber threats. According to Silent Push, Blocknovas was the most active front company in the campaign, responsible for the majority of confirmed compromise attempts. The firm also linked two additional entities—Softglide LLC and an unregistered firm known as Angeloper Agency—to the broader operation.
The attackers used convincing fake identities and professional-looking outreach to pose as recruiters, offering job interviews and collaboration opportunities via platforms like Zoom. Once trust was established, malware was deployed to infiltrate the victim’s system and steal sensitive credentials.
Lazarus Group Shifts Tactics: From Exchange Heists to Targeted Espionage
This phishing campaign follows Lazarus Group’s high-profile theft of $1.4 billion from crypto exchange Bybit earlier this year. But the new campaign signals a strategic shift—from large-scale exchange hacks to highly targeted social engineering attacks.
Earlier this month, Manta Network co-founder Kenny Li reported a phishing attempt involving a malware-laden Zoom call, consistent with Lazarus’s emerging playbook. Across North America and Europe, cybersecurity experts have documented cases of North Korean operatives posing as remote developers, using fake résumés, forged IDs, and aliases to infiltrate Web3 teams and DeFi startups.
These embedded agents not only gain backdoor access to sensitive platforms but also generate revenue streams for the regime—circumventing economic sanctions through decentralized financial systems.
Quick Facts
- North Korea’s Lazarus Group created fake U.S. companies, Blocknovas LLC and Softglide LLC, to target crypto developers.
- The scheme used malware disguised as job offers to steal wallet credentials and system data.
- The FBI has seized Blocknovas’s domain to disrupt the campaign.
- The tactic reflects a shift from large-scale heists to tailored social engineering attacks by North Korean cyber operatives.
