North Korean Hackers Pose as US Firms to Target Crypto Devs in Sophisticated Supply-Chain Attack

Lazarus Group strikes again—this time using fake American tech companies as front operations to infiltrate cryptocurrency development teams. Their MO? Poisoned npm packages, compromised SDKs, and LinkedIn profiles so convincing they’d fool your own HR department.

Why it matters: These aren’t smash-and-grab hacks. By hijacking the tools developers trust, they’re playing the long game—waiting for payloads to ship straight into production environments. The ultimate supply-chain heist.

The finance jab: Meanwhile, your average crypto exchange still can’t implement basic 2FA without outsourcing it to a third-party vendor who gets breached quarterly. Priorities.

Blocknovas and Softglide used job ads to slip malware to crypto developers

Once launched, the files tried to harvest cryptocurrency wallet keys, passwords, and other credentials that could later help break into exchanges or technology firms.

The company’s unpublished report confirms “multiple victims,” most of them approached through Blocknovas, which the researchers describe as “by far the most active” of the three fronts.

State records show Blocknovas was registered in New Mexico on 27 September 2023. Its paperwork lists a postal address in Warrenville, South Carolina, that Google Maps shows as an empty lot.

Softglide’s incorporation in New York traces to a small tax-preparation office in Buffalo. There was no trace of the people whose names appear on either filing.

U.S. officials say the pattern fits a wider North Korean push to raise hard currency. Washington, Seoul, and United Nations experts have long accused Pyongyang of stealing crypto and dispatching thousands of information-technology workers abroad to bankroll the country’s nuclear-missile program.

Running a company controlled by North Korea inside the United States breaks sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (OFAC). It violates U.N. Security Council measures that bar commercial activity benefiting the North Korean state or military.

Malware-laced job files are linked to Lazarus Group

New Mexico’s secretary of state said in an email that Blocknovas was filed through the online domestic-LLC system using a registered agent and appeared to meet state rules. “There would be no way our office would know its connection to North Korea,” a representative wrote.

The investigators LINK the activity to a subgroup of the Lazarus Group, an elite hacking team that answers to the Reconnaissance General Bureau, Pyongyang’s main foreign-intelligence arm.

Silent Push identified at least three previously known malware families inside the malicious job files. The tools can pull data from infected machines, open back doors for further intrusion, and download additional attack code, a playbook often seen in past Lazarus activities.

For now, Blocknovas’ domain sits under federal seizure, Softglide’s website is offline, and Angeloper Agency’s pages return errors. But investigators warn that new aliases can appear quickly.

“This operation illustrates the continually evolving threat posed by DPRK cyber actors,” the FBI said in its statement, urging technology professionals to scrutinize unsolicited job offers and to report any suspicious outreach.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot