Lazarus Group Crypto Hack: Fake U.S. Job Offers Target Developers

North Korea’s notorious Lazarus Group has launched a new cyber-espionage campaign targeting blockchain developers. Security researchers recently uncovered that Lazarus operatives created two fake U.S. firms — BlockNovas LLC in New Mexico and SoftGlide LLC in New York — under stolen identities. These shell companies posted bogus crypto-related job openings on LinkedIn, Upwork and other platforms to lure developers into malware-laced “technical interviews.” When applicants downloaded the so-called coding tests, they unwittingly installed hidden malware designed to steal browser data, cryptocurrency wallet keys, and login credentials from their machines01.

SEO Keywords: Lazarus Group, North Korean hackers, crypto malware, fake job scam, Blocknovas, Softglide

Who is North Korea’s Lazarus Group?

The Lazarus Group is an elite state-sponsored hacker collective tied to North Korea’s military intelligence. It has been blamed for some of the largest cryptocurrency heists ever, including the $600 million Ronin Network hack and the $1.4 billion Bybit theft2. Funded by illicit cybercrime, Lazarus uses sophisticated tactics to evade sanctions and funnel money back to Pyongyang’s weapons programs. In this latest scheme, the group’s Reconnaissance General Bureau operatives managed to register legal U.S. LLCs — a highly unusual move that adds a veneer of legitimacy to their attacks34.

Fake U.S. Companies: BlockNovas & SoftGlide

Lazarus set up BlockNovas LLC (registered in New Mexico) and SoftGlide LLC (registered in New York) using completely fake identities and addresses. Investigators noted that BlockNovas listed a vacant lot in South Carolina as its address, and SoftGlide’s address traces to a small tax office in Buffalo5. The hackers even built professional-looking websites and job profiles for these fronts. These sham companies posed as crypto consulting firms hiring blockchain developers, in blatant violation of U.S. Treasury and UN sanctions on North Korea6. By appearing as legitimate employers, the scheme aimed to build trust and lower the guard of their targets.

Scam Tactics & Malware

Victims reported that the fake companies contacted them with personalized interview invites. During a video interview, an error message would prompt the candidate to “click and paste” a command to fix the issue7. This seemingly harmless step actually installed malware on the developer’s computer. Researchers have identified at least three malicious software strains in this campaign:

• BeaverTail: A Trojan designed to harvest information and load additional malware8.
• InvisibleFerret and OtterCookie: Tools focused on capturing sensitive data like crypto wallet private keys and clipboard contents9.

To make the ruse more convincing, Lazarus operatives created fake employee profiles using AI-generated headshots and even stole real photos of people to populate the companies’ websites and social media1011. These sophisticated details make the scam fronts appear authentic at first glance, making it all the more dangerous for unsuspecting developers.

Impact on Crypto Developers

Hundreds of blockchain and web3 developers were targeted through these fake job offers12. Those who engaged risked having their cryptocurrency wallets emptied and accounts compromised. In one reported incident, a developer’s MetaMask wallet was accessed and funds stolen after completing a bogus coding test13. Cybersecurity firm Silent Push confirmed multiple victims associated with the BlockNovas front14.

Law enforcement quickly responded to the campaign. The FBI has seized the domain for BlockNovas LLC as part of an active effort against these North Korean cyber actors, though the SoftGlide infrastructure remains live for now1516. U.S. officials warn that North Korea’s hacking operations are among the most advanced threats facing the nation17. The scheme also represents a clear breach of international sanctions, since establishing a North Korean-controlled company on U.S. soil is expressly forbidden18.

This incident highlights how closely cybercrime is tied to geopolitics. Analysts estimate that the proceeds from such crypto thefts are funneled into North Korea’s nuclear and missile programs1920. By targeting the crypto talent pool directly, Lazarus has raised the stakes for the entire blockchain industry.

Protecting Yourself from Developer Hacks

• Verify Companies: Always research a company’s background before applying. Check official registration records and be wary of obscure addresses or inconsistencies.
• Scrutinize Interview Requests: Genuine technical tests should never ask you to paste unknown code or bypass security warnings. If an interview task seems odd, double-check with the recruiter via a known channel.
• Separate Work & Wallets: Use dedicated hardware wallets or devices for storing cryptocurrency keys. Never keep large amounts of crypto on the same computer used for everyday development.
• Use Security Best Practices: Keep your operating system and software up-to-date, use reputable antivirus or anti-malware tools, and enable two-factor authentication on all important accounts.
• Report Suspicious Activity: If you encounter a questionable job post or site, notify the platform (e.g. LinkedIn, Upwork) and consider reporting it to authorities. Sharing warnings in developer communities helps protect others.

In summary, the Lazarus Group’s use of fake U.S. companies is a reminder that blockchain developers can be targets just like large exchanges. As nation-state hackers become more sophisticated, the crypto industry must remain vigilant. Always verify recruitment channels, scrutinize technical tests, and safeguard your wallet keys to stay one step ahead of such threats.

Follow DecentraZone for more crypto security news and updates!