North Korea’s Lazarus Group registered fake US firms to target crypto developers

• Lazarus Group registered fictitious US companies to distribute malware to crypto developers under the guise of job recruitment.
• Malware was embedded in coding tests sent through legitimate platforms, such as LinkedIn, Upwork and Telegram.
• US authorities confirm the campaign is linked to North Korea’s broader effort to fund its sanctioned weapons program.

North Korean hackers created fictitious US firms to deploy malware-laced job offers in corporate espionage campaigns, according to Reuters. 

Lazarus used fake firms to launch malware attacks on crypto developers 

The Lazarus Group, North Korea’s state-backed cyber unit, has established multiple fake companies registered in the United States to lure blockchain developers into downloading malware, according to a recent FBI-supported investigation.

Entities such as Blocknovas LLC and Softglide LLC, registered in New Mexico and New York, respectively, served as the primary fronts for the operation. Researchers at cybersecurity firm Silent Push confirmed the companies were incorporated using fabricated identities and fake addresses, complete with professional websites and job listings on platforms like LinkedIn and Upwork.

The malicious campaign targeted software engineers in the crypto and Web3 space. Once applicants engaged with the fake recruiters, they were invited to fake interviews and sent “test assignments.” These files contained embedded malware designed to extract browser credentials, private keys and wallet access details from the victim’s device.

“It is the first confirmed case of North Korean actors incorporating US entities to gain operational legitimacy,” said Kasey Best, Director of Threat Intelligence at Silent Push.

According to Reuters, the operation was uncovered when Silent Push identified connections between the front companies’ digital infrastructure and previously known Lazarus malware strains.

The Federal Bureau of Investigation (FBI) has since seized the domain for Blocknovas as part of an active enforcement effort against North Korean cyber actors.

Crypto theft financing North Korean espionage and missile efforts

Investigators estimate that hundreds of developers were targeted by the operation, with some infections leading to more than financial loss. Evidence suggests that access gained through these malware implants may have been escalated to other state-aligned DPRK teams for potential espionage use.

“Our efforts focus on imposing consequences not only on DPRK actors but on anyone facilitating their ability to conduct these schemes,” said a senior FBI official in a statement.

US and South Korean intelligence agencies believe thousands of North Korean IT workers operate globally, often under false identities, to generate capital for Pyongyang’s weapons development. A 2023 United Nations report estimated that North Korea’s cybercrime earnings contribute directly to its nuclear missile program.