- Lazarus hackers used fake U.S. firms to lure crypto developers.
- Malware was spread via Zoom, GitHub, and NPM.
- FBI intervened, but attacks are still ongoing.
According to a new cybersecurity firm, Silent Push investigation, the North Korean state-backed Lazarus Group and its associated advanced persistent threat (APT) subgroup known as Contagious Interview are behind increasingly sophisticated cyberattacks targeting the cryptocurrency sector.
Lazarus Group Hacks Crypto with Fake Firms
According to the report, hackers affiliated with the Lazarus Group have resorted to various tricks to infiltrate the crypto ecosystem. This includes exploiting Zoom job interviews, embedding malware inside GitHub repositories and NPM packages and, most importantly, companies set up with fake but legally registered in the United States. Researchers have found a handful of examples where attackers went to such lengths to entice crypto developers and take over their systems with data-stealing malware, though establishing a legitimate U.S. business entity to do that remains one of the most difficult.
Despite having fabricated identities and addresses, the two companies, Blocknovas LLC registered in New Mexico and Softglide LLC, registered in New York, were built according to the results of the Silent Push analysis. The firm’s report lists the false credentials used in the campaign.
According to researchers, another entity associated with the theft, Angeloper Agency, does not appear to be officially registered in the United States. Blocknovas is reported to be the most active front company used in the malicious operation of the three.
Kasey Best, Director of Threat Intelligence at Silent Push, told Reuters, “This is a rare instance in that the North Korean hackers actually use legitimate corporate entities in the U.S., and setting up corporate fronts in a U.S. jurisdiction to attack unsuspecting job applicants.”
These attacks follow the previous report’s scheme, where cybercriminals pretended to be legitimate employers during fake video interviews. Last month, Nick Bax of the Security Alliance revealed that one such threat group hires crypto developers over the phone using Zoom.
Attacks during these sessions involved attackers posing as technical issues, and instructing their victims to click on malicious links, which reportedly have ‘stolen tens of millions of dollars.’ Bax said other bad actors are replicating the method.
The Contagious Interview subgroup is another reason Silent Push points out as contributing to this new campaign. These fraudulent interviews lead him to note that these people load their computers with extremely sophisticated malware to steal developers’ cryptocurrency wallets and pilfering credentials that could otherwise be used for secondary attacks on legitimate businesses. In the latest campaign, the firm has confirmed multiple victims.
Contagious Interview Subgroup Behind New Campaign
This comes amid a broader law enforcement effort to take down North Korean cyber infrastructure, as the FBI has also intervened by seizing the domain linked to Blocknovas LLC. It said the domain was used to send malware and fraudulent job postings to mislead individuals. Despite the seizure, the Softglide LLC and Angeloper Agency websites are up as of the reporting time.
Adding another level of worry, Lazarus Group operatives have further attempted to inject malicious JavaScript code into GitHub repositories and NPM packages.
The second alleged campaign is believed to have started in August 2024 and continues. In this vector, the malware used is Marstech1 that specifically targets well known cryptocurrency wallets such as MetaMask, Exodus and Atomic.
Between September 2024 and Jan 2025 cybersecurity company SecurityScorecard found 233 who installed Marstech1 malware by accident. New variants and techniques continue to appear in the attack campaign, and it is active.
Silent Push’s research provides an ominous view of the changing face of the threat landscape for the crypto industry, showing how North Korean cyber operatives have pushed tactics to become more sophisticated and deceptive to penetrate defences and steal digital assets.
