North Korean Hackers Exploit U.S. Businesses to Target Crypto Developers

Cybersecurity researchers have uncovered a sophisticated scheme by North Korean hackers who established fraudulent U.S.-based companies to deceive cryptocurrency developers and distribute malicious software.

The operation, linked to the notorious Lazarus Group, represents a bold violation of U.S. Treasury sanctions and underscores the growing threat of state-sponsored cyberattacks targeting the crypto industry. According to Silent Push, a U.S. cybersecurity firm, the hackers created two companies, Blocknovas LLC and Softglide LLC, registered in New Mexico and New York, respectively, using fabricated personas and addresses. A third entity, Angeloper Agency, is also connected to the campaign but lacks U.S. registration.

The hackers, operating under the Reconnaissance General Bureau, North Korea’s primary foreign intelligence agency, used these corporate fronts to lure developers with fake job postings. Kasey Best, director of threat intelligence at Silent Push, described the tactic as a rare instance of North Korean operatives successfully establishing legal entities in the U.S. to facilitate cyberattacks. The fraudulent companies targeted unsuspecting job applicants, deploying sophisticated malware to compromise cryptocurrency wallets, steal passwords, and harvest credentials that could enable further attacks on legitimate businesses. Silent Push confirmed multiple victims, with Blocknovas identified as the most active of the three fronts.

On Thursday, the FBI seized the Blocknovas domain, posting a notice that it was part of a law enforcement action against North Korean cyber actors. The notice highlighted the domain’s role in deceiving individuals through fake job postings and distributing malware.

Violations and Broader Implications

The creation of these companies violates U.S. Treasury Department sanctions enforced by the Office of Foreign Assets Control, as well as United Nations sanctions prohibiting North Korean commercial activities that support its government or military.

Registration documents reviewed by Reuters revealed inconsistencies, such as Blocknovas listing an address in Warrenville, South Carolina, that appears to be an empty lot on Google Maps. Softglide, meanwhile, was registered through a small tax office in Buffalo, New York. Neither the New York Department of State nor the New Mexico secretary of state’s office, which confirmed Blocknovas’ registration complied with state statutes, had mechanisms to detect the North Korean connection.

This campaign reflects the evolving tactics of North Korean cyber operations, which increasingly target the cryptocurrency sector to generate revenue for Pyongyang’s nuclear and missile programs. Beyond direct hacking, North Korea has deployed thousands of IT workers overseas to earn millions in foreign currency, according to the U.S., South Korea, and the United Nations.

The malware linked to this campaign, previously associated with North Korean operations, is designed to steal sensitive data, infiltrate networks, and deploy additional malicious software, posing a significant risk to the global cryptocurrency ecosystem.