North Korean hackers set up 3 shell companies to scam crypto devs
A subgroup of the North Korea-linked hacker organization Lazarus set up three shell companies, two in the US, to deliver malware to unsuspecting users.
The three sham crypto consulting firms — BlockNovas, Angeloper Agency and SoftGlide — are being used by the North Korean hacker group Contagious Interview to distribute malware through fake job interviews, Silent Push Threat Analysts said in an April 24 report.
Silent Push senior threat analyst Zach Edwards said in an April 24 statement to X that two shell companies are registered as legitimate businesses in the United States.
“These websites and a huge network of accounts on hiring / recruiting websites are being used to trick people into applying for jobs,” he said.
“During the job application process an error message is displayed as someone tries to record an introduction video. The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process.”
Three strains of malware — BeaverTail, InvisibleFerret and Otter Cookie — are being used according to Silent Push.
BeaverTail is malware primarily designed for information theft and to load further stages of malware. OtterCookie and InvisibleFerret mainly target sensitive information, including crypto wallet keys and clipboard data.
Silent Push analysts said in the report that hackers use GitHub, job listing’s and freelancer websites to look for victims.
AI used to create fake employees
The ruse also involves the hackers using AI-generated images to create profiles of employees for the three front crypto companies and stealing images of real people.
“There are numerous fake employees and stolen images from real people being used across this network. We’ve documented some of the obvious fakes and stolen images, but it’s very important to appreciate that the impersonation efforts from this campaign are different,” Edwards said.
“In one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image.”
Related: Fake Zoom malware steals crypto while it’s ‘stuck’ loading, user warns
This malware campaign has been ongoing since 2024. Edwards says there are known public victims.
Silent Push identified two developers targeted by the campaign; one of them reportedly had their MetaMask wallet compromised.
The FBI has since shut down at least one of the companies.
“The Federal Bureau of Investigation (FBI) acquired the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure,” Edwards said.
At least three crypto founders have reported in March that they foiled an attempt from alleged North Korean hackers to steal sensitive data through fake Zoom calls.
Groups such as the Lazarus Group are the prime suspects in some of the biggest cyber thefts in Web3, including the Bybit $1.4 billion hack and the $600 million Ronin network hack.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis
Bitcoin (BTC) $ 108,101.00
Ethereum (ETH) $ 2,711.21
Tether (USDT) $ 1.00
XRP (XRP) $ 2.29
BNB (BNB) $ 689.38
Solana (SOL) $ 172.94
USDC (USDC) $ 0.999809
Dogecoin (DOGE) $ 0.223894
Cardano (ADA) $ 0.753540
TRON (TRX) $ 0.273756
Lido Staked Ether (STETH) $ 2,707.54
Wrapped Bitcoin (WBTC) $ 108,127.00
Sui (SUI) $ 3.62
Hyperliquid (HYPE) $ 34.08
Wrapped stETH (WSTETH) $ 3,267.75
Chainlink (LINK) $ 15.90
Avalanche (AVAX) $ 23.75
Stellar (XLM) $ 0.285625
Shiba Inu (SHIB) $ 0.000014
Toncoin (TON) $ 3.39
Bitcoin Cash (BCH) $ 423.61
LEO Token (LEO) $ 9.03
Hedera (HBAR) $ 0.188223
WETH (WETH) $ 2,709.93
Litecoin (LTC) $ 96.27
USDS (USDS) $ 0.999814
Polkadot (DOT) $ 4.61
Wrapped eETH (WEETH) $ 2,894.79
Monero (XMR) $ 347.19
Bitget Token (BGB) $ 5.32
Pepe (PEPE) $ 0.000014
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 1.00
Pi Network (PI) $ 0.731953
Ethena USDe (USDE) $ 1.00
Coinbase Wrapped BTC (CBBTC) $ 108,159.00
WhiteBIT Coin (WBT) $ 31.56
Uniswap (UNI) $ 7.26
Aave (AAVE) $ 267.67
Bittensor (TAO) $ 436.93
Dai (DAI) $ 0.999998
NEAR Protocol (NEAR) $ 2.91
Aptos (APT) $ 5.47
Jito Staked SOL (JITOSOL) $ 208.06
OKB (OKB) $ 52.40
Tokenize Xchange (TKX) $ 38.85
Ondo (ONDO) $ 0.940581
Internet Computer (ICP) $ 5.50
Cronos (CRO) $ 0.097985
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
Ethereum Classic (ETC) $ 18.78
Ethena Staked USDe (SUSDE) $ 1.17
Kaspa (KAS) $ 0.101944
Official Trump (TRUMP) $ 12.61
Gate (GT) $ 20.54
Mantle (MNT) $ 0.725314
Artificial Superintelligence Alliance (FET) $ 0.911351
VeChain (VET) $ 0.027198
Render (RENDER) $ 4.46
Ethena (ENA) $ 0.394502
sUSDS (SUSDS) $ 1.05
Cosmos Hub (ATOM) $ 4.86
USD1 (USD1) $ 1.00
Worldcoin (WLD) $ 1.37
Arbitrum (ARB) $ 0.428491
POL (ex-MATIC) (POL) $ 0.231267
Lombard Staked BTC (LBTC) $ 108,081.00
Filecoin (FIL) $ 2.89
Fasttoken (FTN) $ 4.42
Algorand (ALGO) $ 0.219452
Celestia (TIA) $ 2.65
Jupiter (JUP) $ 0.595302
Quant (QNT) $ 116.97
Binance-Peg WETH (WETH) $ 2,716.07
First Digital USD (FDUSD) $ 0.998369
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 4.63
Virtuals Protocol (VIRTUAL) $ 2.38
Bonk (BONK) $ 0.000020
Binance Staked SOL (BNSOL) $ 182.29
Injective (INJ) $ 14.90
Sonic (prev. FTM) (S) $ 0.450228
KuCoin (KCS) $ 11.37
Optimism (OP) $ 0.797648
Kelp DAO Restaked ETH (RSETH) $ 2,831.31
Stacks (STX) $ 0.857925
Fartcoin (FARTCOIN) $ 1.30
Rocket Pool ETH (RETH) $ 3,080.72
NEXO (NEXO) $ 1.25
USDT0 (USDT0) $ 1.00
Sei (SEI) $ 0.228006
Flare (FLR) $ 0.018555
Story (IP) $ 4.33
Immutable (IMX) $ 0.642003
EOS (EOS) $ 0.752883
dogwifhat (WIF) $ 1.14
The Graph (GRT) $ 0.111053
Curve DAO (CRV) $ 0.777698
XDC Network (XDC) $ 0.063469
Solv Protocol BTC (SOLVBTC) $ 108,298.00
FLOKI (FLOKI) $ 0.000104
SPX6900 (SPX) $ 1.08
