Key Takeaways
- North Korean hackers set up fake U.S. companies to target crypto developers.
- They used fake job offers to trick victims into downloading malware.
- The Lazarus Group has stolen over $3 billion in digital assets to date.
What started with ATM skimming and ransomware has morphed into something more insidious.
North Korean hackers aren’t just breaking into systems anymore — they’re building front companies on U.S. soil.
In a new campaign, hackers linked to North Korea’s Lazarus Group have quietly set up shell companies in the U.S. to run targeted malware attacks against crypto developers.
The end goal: steal private wallet keys, exfiltrate sensitive data, and keep funding the regime, all while skirting international sanctions.
You’ll Want To See This
Fake Startups, Real Attacks
According to cybersecurity firm Silent Push and documents reviewed by Reuters , at least two of these companies, Blocknovas LLC (New Mexico) and Softglide LLC (New York), were set up using fake identities and bogus U.S. addresses.
A third name, Angeloper Agency, was also linked to the campaign but doesn’t appear to be officially registered.
The researchers believe these entities are tied to a Lazarus Group sub-unit operating under North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB).
The FBI has since seized Blocknovas’s website, alleging it was used to distribute malware via fake job listings aimed at targeting developers in the crypto industry.
The Bureau did not immediately respond to a request for comment.
However, in a separate announcement, the FBI reaffirmed its focus on disrupting DPRK-linked cybercrime.
The Bait: Job Offers That Come With Malware
Silent Push says the scheme centered on fake job postings designed to lure in unsuspecting developers.
Once engaged, victims were sent files infected with malware that could access private keys, scan files, and install backdoors.
Blocknovas was the most active of the three fronts. It listed a South Carolina address, which turned out to be an empty lot.
Softglide used a tax prep office in Buffalo, New York. Neither of the businesses raised red flags with local registration offices.
These operations violate U.S. Treasury Department sanctions enforced by the Office of Foreign Assets Control (OFAC) and United Nations sanctions barring North Korean commercial ventures supporting its military or government.
North Korean hackers previously used the same malware strains in earlier cyber campaigns.
Silent Push said the tools could exfiltrate data, provide backdoor access, and deploy additional malicious code.
Crypto Ark experts said , “The use of shell companies and fake identities highlights the necessity for robust KYC practices. We must remain vigilant and prioritize cybersecurity to protect our ecosystem from malicious intent.“
The Lazarus Group’s Track Record
This isn’t a new playbook — it’s just more evolved. North Korea’s Lazarus Group has been behind some of the biggest financial cyberattacks in the past decade. Here’s a quick look at some of their greatest hits:
- 2016 – Bangladesh Bank Heist: $81M stolen via SWIFT
- 2020 – KuCoin Hack: ~$275M in crypto drained from hot wallets
- 2022 – Ronin Bridge Hack: ~$625M from Axie Infinity
- 2023 – Atomic Wallet Breach: ~$100M lost
- 2024 – Stake.com & CoinEx Hacks: Combined ~$124M
- 2024 – Bybit: $1.4B stolen.
- 2025 – Blocknovas/Softglide: Malware attacks, less about instant profit, more about long-term infiltration
With crypto markets still recovering from past exploits, the Lazarus Group’s evolving strategy is a warning: in Web3, the attack surface is bigger than ever — and some of it may be hiding behind a Delaware LLC.
Was this Article helpful?
