North Korean hackers reportedly established seemingly
legitimate companies on U.S. soil to infiltrate the crypto sector, targeting
unsuspecting developers through fake job offers.
With legal registrations, corporate fronts, and social
engineering, the attackers concealed their true identities behind American
business facades to deliver malware until the FBI stepped in, according to security firm Silent Push, as quoted by the Japanese Times.
Corporate Fronts, Empty Lots, Real Threats
According to security firm Silent Push, two companies,
Blocknovas and Softglide, were registered in New Mexico and New York using
fabricated addresses and identities. These shell firms served as lures for
crypto developers seeking job opportunities.
Blocknovas, the more active of the two, listed a South
Carolina address that turned out to be an empty lot. Softglide’s paperwork
linked back to a Buffalo-based tax office.
The fake firms formed part of an advanced campaign by
a subgroup of the Lazarus Group, a state-sponsored cyber unit linked to North
Korea’s Reconnaissance General Bureau.
The hackers used fake job postings and LinkedIn-style
profiles to engage developers in interviews. During these interactions, the
victims were prompted to download files disguised as application materials or
onboarding documents.
The malware could steal data, provide backdoor access
to systems, and lay the groundwork for follow-up attacks using spyware or
ransomware. Silent Push confirmed that at least three known North Korean
malware types were used in the campaign.
FBI Moves In
Federal agents seized the Blocknovas domain, citing
its use in distributing malware. A notice now posted on the site confirms that
the action was part of broader law enforcement efforts against North Korean
cyber actors.
The FBI did not comment directly on the companies
involved but emphasized its ongoing focus on exposing and punishing DPRK-backed
cybercrime.
The scheme violates both U.S. and United Nations
sanctions. North Korea is barred from engaging in commercial activities
designed to aid its government or military. OFAC, the Treasury’s enforcement
body, prohibits North Korean-linked entities from operating within the United
States.
This campaign is part of a broader strategy by North
Korea to exploit the crypto ecosystem. The country’s cyber units have stolen billions in
digital assets and dispatched thousands of IT professionals overseas to
generate funds, efforts widely believed to support Pyongyang’s nuclear weapons
program.
North Korean hackers reportedly established seemingly
legitimate companies on U.S. soil to infiltrate the crypto sector, targeting
unsuspecting developers through fake job offers.
With legal registrations, corporate fronts, and social
engineering, the attackers concealed their true identities behind American
business facades to deliver malware until the FBI stepped in, according to security firm Silent Push, as quoted by the Japanese Times.
Corporate Fronts, Empty Lots, Real Threats
According to security firm Silent Push, two companies,
Blocknovas and Softglide, were registered in New Mexico and New York using
fabricated addresses and identities. These shell firms served as lures for
crypto developers seeking job opportunities.
Blocknovas, the more active of the two, listed a South
Carolina address that turned out to be an empty lot. Softglide’s paperwork
linked back to a Buffalo-based tax office.
The fake firms formed part of an advanced campaign by
a subgroup of the Lazarus Group, a state-sponsored cyber unit linked to North
Korea’s Reconnaissance General Bureau.
The hackers used fake job postings and LinkedIn-style
profiles to engage developers in interviews. During these interactions, the
victims were prompted to download files disguised as application materials or
onboarding documents.
The malware could steal data, provide backdoor access
to systems, and lay the groundwork for follow-up attacks using spyware or
ransomware. Silent Push confirmed that at least three known North Korean
malware types were used in the campaign.
FBI Moves In
Federal agents seized the Blocknovas domain, citing
its use in distributing malware. A notice now posted on the site confirms that
the action was part of broader law enforcement efforts against North Korean
cyber actors.
The FBI did not comment directly on the companies
involved but emphasized its ongoing focus on exposing and punishing DPRK-backed
cybercrime.
The scheme violates both U.S. and United Nations
sanctions. North Korea is barred from engaging in commercial activities
designed to aid its government or military. OFAC, the Treasury’s enforcement
body, prohibits North Korean-linked entities from operating within the United
States.
This campaign is part of a broader strategy by North
Korea to exploit the crypto ecosystem. The country’s cyber units have stolen billions in
digital assets and dispatched thousands of IT professionals overseas to
generate funds, efforts widely believed to support Pyongyang’s nuclear weapons
program.
