In a bold cyber campaign, North Korea’s notorious Lazarus Group has been caught establishing fake US based companies. According to a recent Reuters report, the intention is to phish unsuspecting crypto developers and compromise their digital wallets.
The hackers registered fictitious firms, Blocknovas LLC in New Mexico and Softglide LLC in New York, using fake identities and addresses. A third entity, Angeloper Agency, has also been tied to the scheme, though it lacks official U.S. registration. These companies were not shell organizations. They maintained legitimate-looking online presences, posted developer job listings, and conducted seemingly standard hiring processes.
Sophisticated Social Engineering
The operation involved targeted phishing attacks disguised as job recruitment efforts. Posing as U.S. tech startups, the Lazarus front companies created credible LinkedIn and Upwork profiles, luring crypto developers into fake interview processes. Once developers engaged, they were instructed to download test files or developer tools, which were actually malware-laced executables.
Once installed, the malware provided remote access to the victim’s system. Hackers then exfiltrated sensitive data, such as crypto wallet keys, browser-stored passwords, and access credentials for key developer platforms. According to Silent Push, this is one of the first known instances of North Korean hackers setting up legally registered U.S. entities.
FBI Steps In
The FBI has since seized the domain associated with Blocknovas LLC as part of a broader crackdown on North Korea’s cyber operations. An FBI spokesperson stated the bureau is committed to imposing “risks and consequences not only on DPRK actors themselves, but on anyone facilitating their schemes.”
Kasey Best, director of threat intelligence at Silent Push, emphasized the seriousness of the campaign, noting that multiple victims have already been confirmed. “They weren’t just using fake resumes or phishing emails,” Best explained. “They went all-in with U.S. company registrations, domains, and social accounts. It’s a new level of operational sophistication.”
To evade surveillance, Lazarus operatives reportedly routed attacks through Russian infrastructure. They used IP addresses located in Khasan and Khabarovsk, regions known to have direct connections to North Korea. Using VPNs and proxy services like Astrill and CCProxy, the attackers maintained command-and-control communications. Additionally, they accessed platforms such as GitHub, Upwork, and Telegram with impunity.
Silent Push researchers also uncovered training materials, including seven instructional videos created by Blocknovas-affiliated accounts. These tutorials covered how to build C2 servers and extract browser passwords. There were also guides on how to upload stolen data to Dropbox and crack crypto wallets using tools like Hashtopolis.
While the immediate objective of these operations appears to be financial theft, there are signs the damage may go deeper. Some stolen credentials may have been transferred to other state-aligned units, potentially for espionage and long-term infiltration.
READ MORE: Cardano Price Breaks Descending Wedge: ADA Eyes $1.49 Target
