North Korean Hackers Create Fake U.S. Businesses to Target Crypto Devs

Multiple victims have been attacked by what appears to be a North Korean campaign that targets cryptocurrency developers using fake U.S. companies.

According to a Reuters report, two fake companies, Blocknovas LLC and Softglide LLC, were created by North Korean cyber spies to infect developers in the crypto industry with malicious software.

According to U.S. cybersecurity firm Silent Push, the fake companies were under the control of a hacker subgroup of North Korea’s Lazarus Group—part of the Reconnaissance General Bureau, Pyongyang’s main foreign intelligence agency. The firms were set up in New Mexico and New York using fake details, in violation of Office of Foreign Assets Control and UN sanctions.

A third firm, Angeloper Agency, was linked to the campaign by Silent Push, but does not appear to be registered in the U.S.

On Thursday the FBI placed a seizure notice on the website for Blocknovas, which said it was seized “as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”

The attacks used fake personas to offer job interviews, following which “sophisticated malware deployments” were used to compromise cryptocurrency wallets, gain passwords, and steal credentials.

According to Silent Push, there have been “multiple victims” of this campaign, with the Blocknovas front being the most active of the two.

North Korea’s phishing campaigns

This is just the latest example of North Korea’s cyber operations, which one FBI official described as “perhaps one of the most advanced persistent threats” facing the United States.

North Korea’s Lazarus Group, which was responsible for February’s $1.4 billion hack of crypto exchange Bybit, is now thought to be branching out into phishing campaigns targeting the crypto industry.

Earlier this month, Manta co-founder Kenny Li was targeted by a phishing attempt that bore the hallmarks of Lazarus Group’s MO, using a fake Zoom call as a vector to distribute malware. And a recent GTIG report found that North Korean IT workers are infiltrating teams across the U.S., UK, Germany, and Serbia, using fake resumes and forged documents to pose as legitimate developers.

The FBI said that it continues to “focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.”