- North Korean hackers have established U.S.-based shell companies to infiltrate the cryptocurrency industry
- These entities have been used to distribute malware through fake job postings, compromising developers’ systems
- The operations are linked to the Lazarus Group, aiming to fund North Korea’s sanctioned programs.
In a sophisticated cyber-espionage campaign, North Korean operatives have created fictitious companies within the United States to target cryptocurrency developers. By posing as legitimate firms, they have lured unsuspecting professionals with fraudulent job offers, subsequently deploying malware to access sensitive information. This strategy, attributed to the Lazarus Group, underscores the evolving tactics employed to circumvent international sanctions and fund prohibited activities.
Blocknovas and Softglide Identified as Fakes
Cybersecurity researchers have uncovered that North Korean hackers established two shell companies, Blocknovas LLC in New Mexico and Softglide LLC in New York, using fabricated identities and addresses. These entities served as fronts to distribute malware to cryptocurrency developers under the guise of employment opportunities. A third associated entity, Angeloper Agency, remains unregistered in the U.S.
Kasey Best, Director of Threat Intelligence at cybersecurity firm Silent Push, remarked, “This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants.”
The attackers employed known malware strains to infiltrate systems, aiming to steal credentials and compromise cryptocurrency wallets. The FBI has since seized the Blocknovas domain, highlighting the severity of the threat. An FBI official emphasized that North Korean cyber operations are “perhaps one of the most advanced persistent threats” facing the United … .
Vulnerabilities in Corporate System Exposed
The establishment of these shell companies within the U.S. not only violates Treasury and UN sanctions but also exposes vulnerabilities in corporate registration processes. It underscores the need for enhanced verification measures and international cooperation to detect and prevent such deceptive practices. The cryptocurrency industry, in particular, must remain vigilant against sophisticated social engineering tactics aimed at compromising its infrastructure.
This operation is part of a broader pattern wherein North Korea leverages cyber activities to generate revenue, often circumventing international sanctions. The Lazarus Group, a state-sponsored hacking collective, has been implicated in numerous high-profile cyberattacks, including the theft of over $1.5 billion from the Bybit cryptocurrency exchange in February 2025.
