North Korean Hackers Target Crypto Developers With Fake U.S. Companies

North Korean hackers, associated with the notorious Lazarus Group, have been orchestrating a complex scheme to target cryptocurrency developers. The group has established fake U.S. companies to distribute malware, aiming to steal sensitive data such as crypto wallet credentials. The investigation revealed three shellSHEL-- companies: BlockNovas LLC, SoftGlide LLC, and Angeloper Agency. Two of these companies, BlockNovas and SoftGlide, were legally registered in New Mexico and New York using fake identities.

The hackers posed as recruiters offering job opportunities to developers. The application process involved tricking victims into downloading malicious software, compromising their systems and exposing their cryptocurrency assets. The fake job offers were distributed through professional networking platforms, appearing legitimate to unsuspecting applicants. During the hiring process, applicants were asked to download a piece of software to fixFIX-- an ‘error’ with recording an introductory video. This “fix” was a malware trap, stealing login credentials and crypto wallet keys once downloaded.

Reports confirm that at least one known victim had their MetaMask wallet compromised. The operation was disrupted by the FBI seizing the BlockNovas domain. However, SoftGlide and other infrastructure of the scheme, such as domain names, remain active, posing ongoing risks. The campaign, which started in 2024, has already affected multiple victims. It is unusual for North Korean hackers to register U.S. legal businesses to conduct cyberattacks, knowingly violating U.S. Treasury and UN sanctions.

The Lazarus Group has a history of targeting the cryptocurrency industry. Since 2017, the group has been accused of stealing over $3 billion in digital assets, including the high-profile heist of $600 million from the Ronin Network in 2022. Their tactics often include social engineering, such as spear phishing and fake employment offers. In 2017, 200,000 systems across 150 countries were affected by the WannaCry ransomware attack, which has also been connected to the organization.

The latest operation highlights the ongoing threat from state-sponsored cyber actors. North Korea’s cyber efforts are acknowledged as some of the most advanced in the world, and the country uses these attacks to fund its regime, which is under international sanctions. The schemes add a new layer of complexity by using fake U.S. companies, making it harder for victims to realize they are being defrauded. Developers and companies in the crypto space are now advised to verify the legitimacy of job offers and be cautious about unsolicited software downloads.