North Korean hackers use fake US companies to hack crypto devs

North Korean cyber operatives quietly formed two limited-liability companies in the United States and used them to slip harmful code to job-seeking software engineers in the cryptocurrency world, according to U.S. legal filings and research shared with Reuters.

Silent Push, a cybersecurity firm, says Blocknovas LLC in New Mexico and Softglide LLC in New York were built with made-up names and rented addresses so the hackers could look like legitimate employers while sending malware to applicants. A third firm, Angeloper Agency, carried identical malicious web fingerprints but did not appear on any U.S. corporate register.

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” Kasey Best, Silent Push’s director of threat intelligence, told Reuters.

The U.S. Federal Bureau of Investigation would not discuss the two companies directly. However, on Thursday, the bureau posted a seizure notice on Blocknovas’ website that said the domain had been taken “as part of a law enforcement action against North Korean cyber actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”

Before the takedown, senior FBI officials told the agency aims to “impose risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.”

One official called North Korea’s hacking units “perhaps one of the most advanced persistent threats” facing the United States today.

Silent Push says the attackers posed as recruiters and offered interviews that required targets to open malicious files.

Blocknovas and Softglide used job ads to slip malware to crypto developers

Once launched, the files tried to harvest cryptocurrency wallet keys, passwords, and other credentials that could later help break into exchanges or technology firms.

The company’s unpublished report confirms “multiple victims,” most of them approached through Blocknovas, which the researchers describe as “by far the most active” of the three fronts.

State records show Blocknovas was registered in New Mexico on 27 September 2023. Its paperwork lists a postal address in Warrenville, South Carolina, that Google Maps shows as an empty lot.

Softglide’s incorporation in New York traces to a small tax-preparation office in Buffalo. There was no trace of the people whose names appear on either filing.

U.S. officials say the pattern fits a wider North Korean push to raise hard currency. Washington, Seoul, and United Nations experts have long accused Pyongyang of stealing crypto and dispatching thousands of information-technology workers abroad to bankroll the country’s nuclear-missile program.

Running a company controlled by North Korea inside the United States breaks sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (OFAC). It violates U.N. Security Council measures that bar commercial activity benefiting the North Korean state or military.

Malware-laced job files are linked to Lazarus Group

New Mexico’s secretary of state said in an email that Blocknovas was filed through the online domestic-LLC system using a registered agent and appeared to meet state rules. “There would be no way our office would know its connection to North Korea,” a representative wrote.

The investigators link the activity to a subgroup of the Lazarus Group, an elite hacking team that answers to the Reconnaissance General Bureau, Pyongyang’s main foreign-intelligence arm.

Silent Push identified at least three previously known malware families inside the malicious job files. The tools can pull data from infected machines, open back doors for further intrusion, and download additional attack code, a playbook often seen in past Lazarus activities.

For now, Blocknovas’ domain sits under federal seizure, Softglide’s website is offline, and Angeloper Agency’s pages return errors. But investigators warn that new aliases can appear quickly.

“This operation illustrates the continually evolving threat posed by DPRK cyber actors,” the FBI said in its statement, urging technology professionals to scrutinize unsolicited job offers and to report any suspicious outreach.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot