North Korean Hackers Create Fake U.S. Firms to Phish Crypto Developers
North Korea’s Lazarus Group has taken its crypto espionage game to a new level.
According to cybersecurity firm Silent Push, the hacking group recently established two fake companies in the U.S. — Blocknovas LLC (New Mexico) and Softglide LLC (New York) — with the explicit goal of infiltrating cryptocurrency development teams.
These fake businesses posed as legitimate employers in the crypto space and offered bogus job interviews to unsuspecting developers. But instead of onboarding them, they delivered stealthy malware designed to:
- Compromise wallets
- Harvest passwords
- Extract credentials and seed phrases
“These attacks represent a severe threat vector targeting the developer core of the crypto ecosystem,” Silent Push warned.
How the Scam Worked: A Closer Look at the Attack Flow
- Fake job listings were posted on public job boards and developer networks.
- Developers were contacted by fake recruiters, often with LinkedIn profiles and Telegram IDs.
- Interview invites were sent — often for Zoom calls, which launched malware payloads.
- Infected systems gave Lazarus access to:
- Wallet keys
- Exchange credentials
- Multi-sig access controls
- Sensitive company data
The FBI has since seized the Blocknovas website, confirming it was used in an active phishing campaign by North Korean actors.
Why This Campaign Matters
Unlike typical rug pulls or spam tokens, this campaign was:
- Highly targeted
- Nation-state backed
- In violation of U.S. Office of Foreign Assets Control (OFAC) and UN sanctions
“This is not random. This is strategic crypto sabotage,” said a former FBI cybersecurity analyst.
And it’s working. Silent Push confirmed multiple victims, though the full scope of stolen data and tokens remains undisclosed.
Not an Isolated Incident: Lazarus’s Growing Toolkit
The Lazarus Group is infamous for:
- The $1.4 billion Bybit hack in February 2025
- The 2022 Axie Infinity Ronin bridge hack
- The 2017 WannaCry ransomware campaign
They are now evolving from large-scale exchange breaches to precision-targeted phishing operations, including:
- Fake Zoom interviews (as seen with Manta co-founder Kenny Li)
- Developer impersonation
- Deepfake interviewers (suspected in some cases)
A recent GTIG report found that North Korean IT workers are embedding themselves in Web3 teams across the U.S., Germany, the UK, and Serbia — often using forged resumes and IDs to get hired as smart contract auditors or backend engineers.
Cybersecurity Firms Sound the Alarm
Silent Push believes this campaign is the most technically refined phishing operation they’ve seen targeting crypto developers to date.
According to their forensic data:
- Blocknovas was registered using fake EIN and SSN data
- Hosting was done via bulletproof offshore VPS providers
- Malware was customized for Mac and Linux environments — both popular among devs
“The level of OSINT (open-source intelligence) gathered on victims is shocking,” Silent Push added.
U.S. Government Response: Warnings and Crackdowns
The FBI has issued warnings to the crypto developer community, urging:
- Caution with unsolicited job offers
- Enhanced endpoint security
- Use of hardware wallets and offline key storage
- Verification of recruiters and interview links
An FBI spokesperson said:
“We are focused on imposing risks and consequences — not just on DPRK actors themselves, but anyone facilitating their schemes.”
Chart: Timeline of North Korean Crypto Attacks
| Date | Incident | Loss Estimated |
|---|---|---|
| Apr 2025 | Blocknovas/Softglide phishing attacks | Unknown |
| Feb 2025 | Bybit Hack | $1.4 billion |
| Apr 2024 | Stake.com Hack | $41 million |
| Mar 2022 | Ronin/Axie Infinity Hack | $625 million |
Protecting Yourself as a Crypto Developer
Best Practices for Developers:
- Don’t download files or accept calls from unknown job offers
- Always check company registration status and legitimacy
- Use sandboxed VMs for calls and code tests
- Enable 2FA across wallets and exchanges
- Watch for typo-squatted domains or fake GitHub repos
Final Thoughts: North Korea’s Lazarus Is Playing the Long Game
North Korea’s Lazarus Group has proven once again that Web3 is one of its most lucrative targets. As crypto matures, so do the threats — and Lazarus isn’t just stealing coins anymore. It’s targeting the builders who keep this industry alive.
With the rise of fake U.S. companies, embedded IT workers, and phishing malware disguised as Zoom calls, the next crypto hack may not come from code — but from trust.
Stay skeptical. Stay secure. And verify before you click.
