Lazarus Group Goes Corporate: North Korean Hackers Set Up Fake US Firms to Hunt Crypto Devs

North Korea’s infamous Lazarus Group just leveled up their grift—registering shell companies stateside to infiltrate crypto circles. Because why bother with malware when you can just file some paperwork?

The Bureaucracy of Crime

Forget dark-web aliases. These operatives went full LinkedIn-core, posing as legit US employers to lure blockchain talent. Bonus points for exploiting Silicon Valley’s ’move fast and break things’ ethos—except they’re breaking into wallets, not APIs.

VCs Won’t See This Pitch Deck

While Sand Hill Road funds the next ’Web3 revolution,’ Lazarus skipped the seed round and went straight to the exit scam. A reminder that in crypto, the most sophisticated tech isn’t always on the blockchain—sometimes it’s in a Delaware LLC filing.

Lazarus used fake firms to launch malware attacks on crypto developers 

The Lazarus Group, North Korea’s state-backed cyber unit, has established multiple fake companies registered in the United States to lure blockchain developers into downloading malware, according to a recent FBI-supported investigation.

Entities such as Blocknovas LLC and Softglide LLC, registered in New Mexico and New York, respectively, served as the primary fronts for the operation. Researchers at cybersecurity firm Silent Push confirmed the companies were incorporated using fabricated identities and fake addresses, complete with professional websites and job listings on platforms like LinkedIn and Upwork.

The malicious campaign targeted software engineers in the crypto and Web3 space. Once applicants engaged with the fake recruiters, they were invited to fake interviews and sent “test assignments.” These files contained embedded malware designed to extract browser credentials, private keys and wallet access details from the victim’s device.

“It is the first confirmed case of North Korean actors incorporating US entities to gain operational legitimacy,” said Kasey Best, Director of Threat Intelligence at Silent Push.

According to Reuters, the operation was uncovered when Silent Push identified connections between the front companies’ digital infrastructure and previously known Lazarus malware strains.

The Federal Bureau of Investigation (FBI) has since seized the domain for Blocknovas as part of an active enforcement effort against North Korean cyber actors.

Crypto theft financing North Korean espionage and missile efforts

Investigators estimate that hundreds of developers were targeted by the operation, with some infections leading to more than financial loss. Evidence suggests that access gained through these malware implants may have been escalated to other state-aligned DPRK teams for potential espionage use.

“Our efforts focus on imposing consequences not only on DPRK actors but on anyone facilitating their ability to conduct these schemes,” said a senior FBI official in a statement.

US and South Korean intelligence agencies believe thousands of North Korean IT workers operate globally, often under false identities, to generate capital for Pyongyang’s weapons development. A 2023 United Nations report estimated that North Korea’s cybercrime earnings contribute directly to its nuclear missile program.