North Korea's Lazarus Group Targets Crypto Developers With Fake Job Offers

North Korean hackers have been identified as setting up fake U.S. businesses to target cryptocurrency developers. The Lazarus Group, a subgroup of the North Korea-linked hacker organization, established three shell companies—BlockNovas, Angeloper Agency, and SoftGlide—to distribute malware through fake job interviews. These companies were registered as legitimate businesses in the U.S., and their websites, along with a network of accounts on hiring and recruiting platforms, were used to trick developers into applying for jobs. During the job application process, an error message would prompt users to click, copy, and paste to fix it, leading to malware infection.

The malware used in this campaign includes BeaverTail, InvisibleFerret, and OtterCookie. BeaverTail is designed for information theft and to load further stages of malware, while OtterCookie and InvisibleFerret target sensitive information, including crypto wallet keys and clipboard data. The hackers use AI-generated images to create profiles of fake employees and steal images of real people to enhance the authenticity of their ruse. This campaign has been ongoing since 2024, with known public victims, including at least one developer who had their MetaMask wallet compromised.

The Federal Bureau of Investigation (FBI) has taken action by seizing the Blocknovas domain, but Softglide and some of their other infrastructure remain active. The Lazarus Group is suspected in some of the biggest cyber thefts in the Web3 space, including the Bybit $1.4 billion hack and the $600 million Ronin network hack. The group exploits legal loopholes to bypass sanctions and target digital assets with malware, posing as potential employers and using fake meeting invites to deliver their malicious software.

This is just the latest example of North Korea's cyber operations, which one FBI official described as “perhaps one of the most advanced persistent threats” facing the United States. North Korea's Lazarus Group, which was responsible for February's $1.4 billion hack of crypto exchange Bybit, is now thought to be branching out into phishing campaigns targeting the crypto industry. Earlier this month, Manta co-founder Kenny Li was targeted by a phishing attempt that bore the hallmarks of Lazarus Group's MO, using a fake Zoom call as a vector to distribute malware. And a recent report found that North Korean IT workers are infiltrating teams across the U.S., UK, Germany, and Serbia, using fake resumes and forged documents to pose as legitimate developers.

The FBI said that it continues to "focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes."