A recent investigation has uncovered that the North Korean state-sponsored hacking group known as Lazarus has registered shell companies in the United States to execute a new wave of cyberattacks targeting the cryptocurrency industry. According to Reuters, the group established entities such as Blocknovas LLC in New Mexico and Softglide LLC in New York using fabricated identities and forged documentation. These companies were presented as legitimate tech startups, complete with websites and supposed teams, with the intention of luring cryptocurrency developers into malware traps.
The cybersecurity firm Silent Push identified that these companies were part of an elaborate scheme to distribute malware, often disguised within seemingly credible job offers. The malicious code was engineered to compromise digital wallets, harvest credentials, and ultimately exfiltrate sensitive development or trading data. In a coordinated move, the FBI seized the domain belonging to Blocknovas, effectively halting its operations. The agency’s actions signal increased scrutiny toward deceptive foreign fronts operating on U.S. soil.
A third suspicious entity, Angeloper Agency, was also tied to the Lazarus campaign, although it was not officially registered in the United States. Cybersecurity experts noted that these fronts are not just vehicles for malware distribution—they’re part of a broader playbook for infiltrating the Web3 ecosystem and targeting developers who work on decentralized finance (DeFi) projects, digital asset infrastructure, and wallet software.
Social Engineering and Malware Delivery Tactics Intensify in Crypto
The Lazarus Group has increasingly relied on advanced social engineering tactics to reach their targets. They have been found impersonating recruiters on professional networks like LinkedIn, initiating contact with software developers under the pretense of legitimate employment opportunities. Once a relationship is established, the hackers often request victims to complete coding assignments or download and run developer tools from cloned GitHub repositories. These repositories are rigged with malware strains previously attributed to Lazarus operations, such as BeaverTail and InvisibleFerret.
These attacks are not isolated incidents. They form part of a long-running pattern by North Korea to acquire cryptocurrency through illicit means. Stolen digital assets have become a critical source of funding for Pyongyang’s nuclear weapons and ballistic missile programs, according to international security agencies. Lazarus, believed to be controlled by the Reconnaissance General Bureau—North Korea’s primary intelligence agency—has previously been linked to major crypto heists including the $620 million Ronin bridge exploit.
Cybersecurity experts warn that this latest evolution in Lazarus tactics poses a serious threat to individual developers and emerging crypto projects alike. Given the open-source nature of Web3 development, even a single compromised contributor can have ripple effects across entire ecosystems.
The U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) are advising tech companies, especially those in the blockchain and fintech sectors, to conduct enhanced background checks, validate business registrations, and be cautious of unsolicited recruiting messages. In the current threat landscape, vigilance is essential not just at the organizational level, but down to each individual developer.
The Lazarus Group’s evolving methods demonstrate an alarming blend of traditional business front tactics with advanced cyber warfare capabilities, underscoring the high stakes faced by developers and startups in the digital asset space.
Descubra mais sobre
Assine para receber nossas notícias mais recentes por e-mail.