North Korean cybercriminals have been actively enhancing their tactics to illicitly acquire cryptocurrency funds. These strategies include using Zoom meetings to engage with potential victims, concealing malware within GitHub and npm packages, and most notably, establishing legitimate businesses within the United States.
The method of registering a legitimate company is relatively rare among these tactics, primarily due to its complexity. Nevertheless, researchers have identified instances of North Korean threat actors creating businesses stateside to draw in cryptocurrency developers, subsequently distributing data-stealing malware.
Research conducted by Silent Push unveiled that two companies, Blocknovas LLC and Softglide LLC, were registered in New Mexico and New York, respectively, using fabricated identities and addresses. The findings include a compilation of these fictitious identities connected to the operation.
Source: Silent Push
In addition to the aforementioned companies, the researchers identified another entity called Angeloper Agency, which appears to be linked to this scheme, although it is not registered in the US. Among these, Blocknovas has emerged as the most active front company, according to the report.
Kasey Best, director of threat intelligence at Silent Push, was quoted by Reuters, emphasizing that this represents a rare case where North Korean hackers successfully established legal corporate entities in the US to create fronts for their attacks on unwitting job seekers.
This scheme bears similarities to recently reported data theft attempts highlighted by various cryptocurrency industry insiders.
In a statement last month, Nick Bax from the Security Alliance mentioned that a specific threat group is engaged in efforts to extract sensitive data and financial assets through fraudulent business calls conducted via Zoom.
Troubled by audio issues during a Zoom call? It might not be a technical glitch; it could be North Korean hackers.
Fortunately, a vigilant founder caught on to the ruse.
The call commenced with several faux “VCs” on the line, who sent messages in the chat about audio troubles, ostensibly to lure the target into a trap.
— Nick Bax.eth (@bax1337) March 11, 2025
The primary objective of these attackers is clear: entice cryptocurrency developers and compromise their devices with malware via malicious links shared during interviews. They often feign technical difficulties to manipulate victims into clicking these harmful links.
Bax reported that the group had succeeded in stealing “tens of millions of dollars” using this approach, with other malicious actors beginning to replicate their tactics.
You might also like Lazarus Group Deposits 400 ETH to Tornado Cash, Hackers Target Crypto Vets on Zoom
Contagious Interviews and Malicious JavaScript
The investigations by Silent Push have unveiled a new wave of attacks, attributed to a sub-group known as ‘Contagious Interview,’ which operates under the notorious North Korean APT group, Lazarus.
Best explained to Reuters that these job interviews often facilitate sophisticated malware installations designed to compromise the cryptocurrency wallets of developers, as well as target their passwords and credentials, likely for use in further assaults on legitimate organizations.
The report noted that Silent Push has already confirmed “multiple victims” related to this latest interview scheme.
Source: blocknovas.com
However, law enforcement efforts have led to the seizure of Blocknovas’ domain by the FBI, which took action against these North Korean cyber actors who used the platform to mislead individuals with fake job listings and distribute malware.
As of now, the other two websites remain operational.
Additionally, another sophisticated tactic employed involves injecting malicious JavaScript into GitHub repositories and npm packages. Since August 2024, the Lazarus group has been exploiting this strategy to conduct supply chain assaults for both data and funds.
This method continues to evolve, with a specific malware variant known as Marstech1 targeting popular cryptocurrency wallets. Reports indicate that MetaMask, Exodus, and Atomic are among those affected.
According to cybersecurity firm SecurityScorecard, a total of 233 victims had installed the Marstech1 implant between September 2024 and January 2025.
You might also like New Malicious Campaign Targets Atomic and Exodus Wallets
The post North Korea Develops Novel, More Sophisticated Methods to Target Crypto Industry appeared first on Finance Newso.
