North Korea’s Lazarus Group sets up fictitious US companies to farm dev wallets

North Korea’s Lazarus Group, through its subunit, spun up fake US-registered companies as part of a campaign to phish crypto developers and steal their wallets, according to a new report from Reuters.

The companies, Blocknovas LLC and Softglide LLC, were registered in New Mexico and New York using fake personas and addresses. Another entity, Angeloper Agency, is reportedly connected to the operation, but it is not registered in the US.

The scheme

The tactics involved creating fake companies, establishing a convincing online presence, and posting job listings targeting developers.

Hackers used false identities, made-up addresses, and real platforms like LinkedIn and Upwork to appear legitimate and attract developers. Once applicants opted in, they were taken through fake interviews and instructed to download test assignments or software.

These files contained malware that, once executed, gave attackers access to the victim’s system, allowing them to extract passwords, crypto wallet keys, and other sensitive data.

Russian-speaking group used nearly identical tactics in earlier campaign

In February, BleepingComputer reported that Crazy Evil, a Russian-speaking cybercrime group, had already deployed comparable tactics in a targeted scam against crypto and web3 job seekers.

A subgroup of Crazy Evil created a fake company called ChainSeeker.io, posting fraudulent listings on platforms like LinkedIn. Applicants were directed to download a malicious app, GrassCall, which installed malware designed to steal credentials, crypto wallets, and sensitive files.

The operation was well-coordinated, using cloned websites, fake profiles, and Telegram to distribute malware.

FBI confirms North Korean link

Kasey Best, director of threat intelligence at Silent Push, said this is one of the first known cases of North Korean hackers setting up legally registered companies in the US to bypass scrutiny and gain credibility.

Silent Push traced the hackers back to the Lazarus Group and confirmed multiple victims of the campaign, identifying Blocknovas as the most active of the three front companies they uncovered.  

The FBI seized Blocknovas’ domain as part of enforcement actions against North Korean cyber actors who used fake job postings to distribute malware.

FBI officials said they continue to “focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.”

According to an FBI official, North Korean cyber operations are among the nation’s most sophisticated persistent threats.

North Korea leverages Russian infrastructure to scale attacks

To overcome limited domestic internet access, North Korea’s hacking group uses international infrastructure, particularly Russian IP ranges hosted in Khasan and Khabarovsk, towns with direct ties to North Korea, according to an in-depth analysis from Trend Micro.

Using VPNs, RDP sessions, and proxy services like Astrill VPN and CCProxy, Lazarus operatives are able to manage attacks, communicate via GitHub and Slack, and access platforms such as Upwork and Telegram.

Researchers at Silent Push have identified seven instructional videos recorded by accounts linked to BlockNovas as part of the operation. The videos describe how to set up command-and-control servers, steal passwords from browsers, upload stolen data to Dropbox, and crack crypto wallets with tools such as Hashtopolis.

From theft to state-sponsored espionage

Hundreds of developers have been targeted, with many unknowingly exposing their sensitive credentials. Some breaches appear to have escalated beyond theft, suggesting Lazarus may have handed over access to other state-aligned teams for espionage purposes.

US, South Korean, and UN officials have confirmed to Reuters that North Korea’s hackers have deployed thousands of IT workers overseas to generate millions in funding for Pyongyang’s nuclear missile program.

Share this article