North Korean Hackers Target Crypto Developers with US Shell Companies

North Korean hackers from the Lazarus Group have ingeniously penetrated the cryptocurrency industry by setting up shell companies in the U.S., using deceptive job offers to ensnare unsuspecting developers with malware. This bold move not only violates U.S. sanctions but also exposes the darker side of the crypto world, where state-sponsored cybercriminals exploit the promise of decentralization and freedom for their gain.

• Lazarus Group uses US shell companies to target crypto devs
• Malware disguised as job opportunities
• FBI seizes domain used in the scheme

The Lazarus Group, a notorious state-sponsored hacking unit from North Korea, has been linked to the creation of two shell companies in the United States: Blocknovas LLC in New Mexico and Softglide LLC in New York. A shell company is essentially a business without active operations, often used to obscure ownership or facilitate illegal activities. These entities were created with falsified identities and addresses, forming part of a broader strategy to infiltrate the cryptocurrency industry. Another entity, Angeloper Agency, is also connected but not registered in the U.S.

These hackers have been using platforms like LinkedIn to reach out to cryptocurrency developers, offering enticing job opportunities. Once engaged, victims are asked to download what they believe to be hiring software or technical assessments. However, these are, in reality, malware designed to compromise their systems. This tactic is not new for the Lazarus Group; they have previously used similar methods in campaigns like “ClickFix,” which targeted job seekers in the centralized finance (CeFi) sector, and the infamous 2021 Ronin Bridge hack, which resulted in a staggering $625 million theft.

Blocknovas LLC, identified as the most active of these shell companies, listed an address that led to an empty lot in South Carolina, further illustrating the deceptive nature of these operations. Softglide LLC was registered through a tax preparation service in Buffalo, New York, showcasing the hackers’ ability to exploit vulnerabilities in U.S. business registration systems. The FBI, recognizing the threat, intervened by seizing the Blocknovas domain, disrupting the hackers’ ability to spread malware through this channel.

The use of shell companies and fake job offers by the Lazarus Group highlights the sophistication and persistence of North Korean cyber actors. These operations not only violate U.S. sanctions but also expose significant weaknesses in business registration processes. The cryptocurrency community must remain vigilant, as these state-sponsored hackers continue to adapt and target new vulnerabilities.

The Lazarus Group’s actions serve as a stark reminder of the ongoing threat to the crypto industry. With international sanctions pressuring North Korea, the regime has turned to cybercrime as a means to fund its activities, making the cryptocurrency sector a prime target. The involvement of the FBI and other law enforcement agencies underscores the seriousness of this issue and the need for heightened cybersecurity measures.

While the Lazarus Group’s tactics are alarming, they also highlight the resilience and adaptability of the cryptocurrency community. As we champion decentralization and privacy, we must also recognize the importance of robust security practices. The fight against state-sponsored cyber threats is ongoing, but with awareness and collective action, the crypto world can continue to thrive and innovate.

Imagine receiving a dream job offer in the crypto industry, only to find out it’s a trap set by North Korean hackers moonlighting as terrible HR recruiters—but with a side of malware. It’s a chilling reminder that in our pursuit of financial revolution and effective accelerationism, we must not overlook the potential for misuse and exploitation.

Recent incidents, such as the $308 million theft from DMM in May 2024 by North Korean actors using similar tactics, further underscore the ongoing nature of these threats. The international collaboration between agencies like the FBI and the National Police Agency of Japan to combat these threats highlights the global effort to protect the cryptocurrency space.

The cryptocurrency industry must continue to innovate and strengthen its defenses. The potential for loss of trust is significant, and companies are taking measures to enhance their cybersecurity. As we push forward with Bitcoin and other cryptocurrencies, it’s crucial to balance optimism with realism, understanding that while these technologies hold immense promise, they also attract nefarious actors looking to exploit their vulnerabilities.

Key Questions and Takeaways:

What is the Lazarus Group known for?
The Lazarus Group is known for its role in high-profile cyber thefts and espionage activities, operating as a state-sponsored hacking unit under North Korea’s Reconnaissance General Bureau.

How did North Korean hackers target cryptocurrency developers?
North Korean hackers set up shell companies in the U.S. and used fake job postings on platforms like LinkedIn to approach developers, inviting them to “interviews” where they were encouraged to download malware disguised as hiring software or technical assessments.

What actions were taken by the FBI in response to the North Korean hackers’ activities?
The FBI seized the Blocknovas domain, which was used by the hackers to deceive job seekers and spread malware.

What previous campaigns have been linked to the Lazarus Group?
The Lazarus Group has been linked to the “ClickFix” campaign targeting job seekers in the centralized finance (CeFi) crypto sector and the 2021 Ronin Bridge hack, which resulted in a $625 million theft.

What vulnerabilities were exposed by the North Korean hackers’ operations?
The operations exposed major vulnerabilities in U.S. business registration systems, as the hackers were able to set up shell companies using falsified names, addresses, and documentation, which allowed them to pose as legitimate employers.