Key Takeaways
- The malware also targeted developers’ login credentials, which could then be used to gain unauthorized access to larger systems.
- The entities, Blocknovas LLC and Softglide LLC, were reportedly registered in New Mexico and New York under false identities and addresses
Two U.S.-based companies allegedly set up by North Korean operatives have been linked to a cyber campaign aimed at stealing sensitive data from cryptocurrency developers, according to findings shared by cybersecurity firm Silent Push.
Reportedly, the entities, Blocknovas LLC and Softglide LLC, were reportedly registered in New Mexico and New York under false identities and addresses—moves that violate U.S. sanctions and international restrictions on North Korean business activities.
The scheme, which U.S. authorities have now disrupted, is attributed to a subgroup within the Lazarus Group, a North Korea-backed hacking organization connected to the country’s Reconnaissance General Bureau, its principal foreign intelligence body. The firms reportedly served as fronts to pose as legitimate employers offering jobs in the cryptocurrency sector, only to distribute malware to applicants during the recruitment process.
“These attacks utilize fake personas offering job interviews, which lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers,” said Kasey Best, director of threat intelligence at Silent Push. She added that the malware also targeted developers’ login credentials, which could then be used to gain unauthorized access to larger systems.
The campaign is part of what cybersecurity analysts describe as a broader North Korean effort to generate funds through illicit cyber operations. The malware deployed through the fake job application processes reportedly enabled attackers to harvest private keys and passwords tied to digital wallets.
According to Silent Push, a third entity, Angeloper Agency, is also linked to the campaign, though it does not appear to have been registered in the U.S.
The FBI confirmed enforcement action against the domain of Blocknovas, stating on its seizure notice that the website was used “to deceive individuals with fake job postings and distribute malware.” The agency said the seizure was part of a broader operation targeting North Korean actors involved in cybercrime.
This operation is not isolated. Earlier this month, Manta Network co-founder Kenny Li was reportedly targeted by a phishing attempt using tactics similar to those linked to the Lazarus Group. In that case, malware was delivered via a fake Zoom call invite.
Additionally, a recent report by GTIG, another cybersecurity firm, found that North Korean IT workers are attempting to secure remote roles in countries such as the United States, Germany, and the United Kingdom using fake resumes and forged documents. These individuals aim to gain access to internal company systems, financial platforms, and sensitive client data.
The formation of Blocknovas and Softglide in the U.S. marks a rare instance of North Korean operatives successfully registering corporate entities on American soil. The act violates sanctions imposed by the U.S. Treasury’s Office of Foreign Assets Control and the United Nations.
While the immediate threat from the identified domains has been neutralized, Silent Push has warned that the malware associated with the campaign has already affected some users, compromising their wallets and personal credentials. Investigations into the extent of the operation and any additional entities are underway
