North Korean hackers created fake US companies to target crypto developers: report
Quick Take
- North Korean hackers created three companies — two of which were U.S.-based — to distribute malware to cryptocurrency developers, according to security researchers at Silent Push.
- The companies include BlockNovas LLC (New Mexico), SoftGlide LLC (New York) and Angeloper Agency.
- The campaign was attributed to the APT group “Contagious Interview,” a Lazarus subgroup.
North Korean hackers, linked to the Lazarus Group, created three shell companies — two of which were U.S.-based — to target cryptocurrency developers with malware, according to a report by cybersecurity firm Silent Push.
BlockNovas LLC and SoftGlide LLC were registered in the U.S. states of New Mexico and New York, respectively. A third entity, Angeloper Agency, was also linked to the campaign but is not registered in the U.S.
The North Korean APT group Contagious Interview (a subgroup of Lazarus) was behind the campaign, using three fake cryptocurrency companies as fronts for malware distribution.
Domains and subdomains linked to their operations include lianxinxiao[.]com, blocknovas[.]com, and apply-blocknovas[.]site.
The objective of establishing the entities was to deliver malware via fake job interview lures targeting cryptocurrency job seekers, the Silent Push researchers said.
Their operations target cryptocurrency developers with malware, aiming to compromise their crypto wallets and steal credentials to facilitate further attacks on legitimate businesses.
The perpetrators used fake personas and addresses to create these companies, according to researchers. The group used AI-generated employee profiles to give legitimacy to the fake companies, Silent Push researchers said.
The North Korean Lazarus Group, a state-sponsored cybercrime syndicate, has a history of using fake job postings as a vector for distributing malware, particularly targeting cryptocurrency firms to steal funds and sensitive data.
The most infamous case was the 2021 Axie Infinity Ronin Bridge hack, in which a fake job offer compromised a Sky Mavis employee, allowing Lazarus to steal $625 million in ETH and USDC. Another notable hit was the 2022 Horizon Bridge hack, where similar tactics led to a $100 million theft from Harmony’s systems.
Lazarus’s operations have stolen over $3 billion in cryptocurrency since 2017, per U.N. and Chainalysis estimates, with job-based attacks driving a significant portion.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
