TLDR
- North Korean hackers created three shell companies (BlockNovas, Angeloper Agency, SoftGlide) to target crypto developers
- Two companies were registered as legitimate businesses in the US
- Hackers used fake job interviews to distribute malware that steals crypto wallet keys
- AI-generated images were used to create fake employee profiles
- The FBI has seized at least one domain (BlockNovas) as part of a law enforcement action
North Korean hackers have established three shell companies to target cryptocurrency developers through fake job interviews, according to a recent report by security firm Silent Push. The hackers, linked to the Lazarus Group, created front companies including BlockNovas, Angeloper Agency, and SoftGlide to distribute malware that can steal sensitive information such as crypto wallet keys.
Two of these shell companies were registered as legitimate businesses in the United States. BlockNovas and SoftGlide were created using fictitious identities and addresses in New York and New Mexico, with one listing an address in South Carolina that appears to be an empty lot.
Sophisticated Malware Delivery
The hackers’ method is both clever and dangerous. They post fake job listings on GitHub, LinkedIn, and freelancer websites to attract crypto developers. During the application process, candidates encounter an error message when trying to record an introduction video.
The solution offered requires the user to click, copy, and paste to fix the problem. This simple action triggers the installation of malware on the developer’s computer.
“During the job application process an error message is displayed as someone tries to record an introduction video. The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process,” explained Zach Edwards, senior threat analyst at Silent Push.
Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies…🧵
— Zach Edwards (@thezedwards) April 24, 2025
The operation uses at least three strains of malware: BeaverTail, InvisibleFerret, and Otter Cookie. BeaverTail is designed primarily for information theft and loading additional malware. OtterCookie and InvisibleFerret target sensitive information, including cryptocurrency wallet keys and clipboard data.
AI-Generated Deception
To make their front companies appear legitimate, the hackers created fake employee profiles using AI-generated images. In some cases, they stole photos of real people and modified them using AI tools to create slightly different versions.
“There are numerous fake employees and stolen images from real people being used across this network. In one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image,” said Edwards.
The malware campaign has been active since early 2024. Silent Push has identified at least two developers targeted by the campaign, with one reportedly having their MetaMask wallet compromised.
The Federal Bureau of Investigation (FBI) has taken action against these fraudulent operations. They have seized the BlockNovas domain, posting a notice stating it was taken down “as part of a law enforcement action against North Korean cyber actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”
…and the “solution” is an easy “click fix” copy and paste trick, which leads to malware if the unsuspecting developer completes the process. pic.twitter.com/7USZJ0S6ep
— Zach Edwards (@thezedwards) April 24, 2025
“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants,” said Kasey Best, director of threat intelligence at Silent Push.
The SoftGlide domain, however, remains active along with other infrastructure used by the hackers.
North Korean hacking groups like the Lazarus Group have been linked to some of the biggest cyber thefts in the cryptocurrency space. They are suspected of involvement in major hacks including the $1.4 billion Bybit hack and the $600 million Ronin network hack.
At least three crypto founders reported in March that they foiled attempts from alleged North Korean hackers to steal sensitive data through fake Zoom calls.
The operation is part of a broader pattern of North Korean state-sponsored hacking campaigns targeting the cryptocurrency industry to generate revenue for the sanctioned nation.
Security experts advise crypto developers to be extremely cautious when applying for jobs online. They should verify the legitimacy of companies before engaging in interviews or downloading any software.
The FBI continues to investigate these operations as part of ongoing efforts to combat North Korean cyber threats targeting the financial sector.
