A new report by cybersecurity firm Silent Push has uncovered a chilling operation orchestrated by North Korean hackers linked to the Lazarus Group. The group created three fake companies—two in the U.S.—to target cryptocurrency developers with malware. They used AI-generated personas and fabricated profiles to enhance their deception. This highlights the rising sophistication of cybercriminals in exploiting advanced technologies.
The Anatomy of Deception: How Fake Companies Were Used
The operation was spearheaded by Contagious Interview , a subgroup of Lazarus. They set up two entities, BlockNovas LLC and SoftGlide LLC , in New Mexico and New York, respectively. A third company, Angeloper Agency , was also part of the scheme but not registered in the U.S. These companies served as fronts for malicious activities, leveraging domains such as lianxinxiao[.]com , blocknovas[.]com , and apply-blocknovas[.]site to host malware operations.
To lend authenticity to their ruse, the hackers employed AI-generated employee profiles and fabricated addresses, as revealed by Silent Push researchers. This use of advanced technologies like AI underscores the sophistication of Lazarus’s tactics, making it harder for potential victims to detect the deception.
How It Works: Malware Disguised as Job Opportunities
The North Korean hackers targeted cryptocurrency developers by posing as legitimate employers offering job opportunities. Unsuspecting job seekers were lured into downloading malicious software disguised as job application materials. Once installed, the malware granted attackers access to victims’ systems, enabling them to steal private keys, compromise crypto wallets, and exfiltrate sensitive data.
This method is consistent with Lazarus’s modus operandi, which has historically relied on fake job postings to execute high-profile attacks. For instance, in 2021, a fake job offer led to the Axie Infinity Ronin Bridge hack, resulting in the theft of $625 million in ETH and USDC. Similarly, in 2022, the group exploited this tactic to steal $100 million from Harmony’s Horizon Bridge.
Since 2017 , Lazarus has reportedly stolen over $3 billion worth of cryptocurrency, according to estimates from the United Nations and Chainalysis. A significant portion of these funds—acquired through job-based attacks—highlights the effectiveness of this strategy.
Why Cryptocurrency Developers Are High-Value Targets
Cryptocurrency developers are particularly attractive targets because they often hold access to critical infrastructure, including blockchain networks and private keys. By compromising these individuals, hackers can infiltrate entire systems, facilitating large-scale thefts. Furthermore, the decentralized and pseudonymous nature of cryptocurrencies makes it exceedingly difficult to trace stolen funds, adding to the allure for state-sponsored groups like Lazarus.
What This Means for the Crypto Community
This latest revelation serves as a sobering reminder of the escalating threats facing the cryptocurrency industry. Developers and job seekers must exercise caution when interacting with unfamiliar companies or downloading files during the hiring process. Employers, too, should prioritize implementing robust cybersecurity measures to safeguard their teams and systems from similar attacks.
From our perspective as a crypto-focused platform, the emergence of AI-generated personas and fake companies emphasizes the urgent need for heightened awareness and education within the community. By staying informed and adopting proactive security practices, we can collectively mitigate the risks posed by groups like Lazarus.
