North Korean Hackers Created Fake U.S. Companies to Target Crypto Developers

In a major cybersecurity revelation, North Korean hackers linked to the notorious Lazarus Group have been found setting up fake U.S. companies to infiltrate the cryptocurrency sector and infect developers with malicious software, according to U.S. cybersecurity firm Silent Push and documents reviewed by Pulse.

The two identified entities, Blocknovas LLC and Softglide LLC, were registered in New Mexico and New York, respectively, using fake identities and bogus addresses. A third unregistered entity, Angeloper Agency, was also linked to the operation.

“This is a rare example of North Korean hackers successfully registering legal corporate entities in the U.S. to serve as fronts for cyberattacks,” said Kasey Best, Director of Threat Intelligence at Silent Push.

---

FBI Seizes Blocknovas Domain Used for Malware Distribution

On Thursday, the FBI seized the Blocknovas website domain, stating it was used by North Korean cyber actors to post fake job listings that tricked victims into installing malware. While the FBI didn’t directly comment on the specific companies, they confirmed ongoing efforts to disrupt North Korean cyber operations.

“These cyber operations are among the most advanced persistent threats facing the U.S.,” an FBI official.

---

Fake Job Offers, Real Malware: How the Attacks Work

The hackers targeted crypto developers with fake job interview offers, which led to malware infections that allowed them to:

• Steal cryptocurrency wallet credentials
• Gain access to sensitive systems
• Deploy additional malware strains

Silent Push confirmed multiple victims were compromised, mostly through Blocknovas, which was described as the most active front company in the operation.

---

Lazarus Group: Pyongyang’s Cyber Espionage Arm

The Lazarus Group, a hacking division tied to North Korea’s Reconnaissance General Bureau (RGB), has long been linked to financial cybercrimes, including crypto thefts to fund the country’s nuclear weapons program.

“These operations not only violate U.S. sanctions enforced by the Office of Foreign Assets Control (OFAC), but also breach United Nations sanctions prohibiting North Korean commercial activities,” said cybersecurity researchers.

---

Violation of U.S. and UN Sanctions

Both Blocknovas and Softglide were found to be illegally registered entities, set up in clear violation of international sanctions:

• Blocknovas listed a fake address in South Carolina, which appears to be an empty lot.
• Softglide was registered using a small tax office in Buffalo, New York.

The New York Department of State declined to comment, while the New Mexico Secretary of State’s office confirmed the registration but emphasized they had no way of knowing the company’s ties to North Korea.

---

North Korea’s Expanding Cyber Capabilities

This operation is part of North Korea’s broader efforts to raise funds through cybercrime, including:

• Dispatching IT workers abroad
• Executing crypto hacks and scams
• Targeting tech professionals globally

According to Silent Push, the malware used in this campaign included at least three known strains previously linked to North Korean espionage efforts.

---