North Korean Hackers Use Fake U.S. Companies to Spread Malware in Crypto Industry: Report

North Korean hackers reportedly established seemingly legitimate companies on U.S. soil to infiltrate the crypto sector, targeting unsuspecting developers through fake job offers.

With legal registrations, corporate fronts, and social engineering, the attackers concealed their true identities behind American business facades to deliver malware until the FBI stepped in, according to security firm Silent Push, as quoted by the Japanese Times.

Corporate Fronts, Empty Lots, Real Threats

According to security firm Silent Push, two companies, Blocknovas and Softglide, were registered in New Mexico and New York using fabricated addresses and identities. These shell firms served as lures for crypto developers seeking job opportunities.

Blocknovas, the more active of the two, listed a South Carolina address that turned out to be an empty lot. Softglide’s paperwork linked back to a Buffalo-based tax office.

The fake firms formed part of an advanced campaign by a subgroup of the Lazarus Group, a state-sponsored cyber unit linked to North Korea’s Reconnaissance General Bureau.

The hackers used fake job postings and LinkedIn-style profiles to engage developers in interviews. During these interactions, the victims were prompted to download files disguised as application materials or onboarding documents.

The malware could steal data, provide backdoor access to systems, and lay the groundwork for follow-up attacks using spyware or ransomware. Silent Push confirmed that at least three known North Korean malware types were used in the campaign.

FBI Moves In

Federal agents seized the Blocknovas domain, citing its use in distributing malware. A notice now posted on the site confirms that the action was part of broader law enforcement efforts against North Korean cyber actors.

The FBI did not comment directly on the companies involved but emphasized its ongoing focus on exposing and punishing DPRK-backed cybercrime.

The scheme violates both U.S. and United Nations sanctions. North Korea is barred from engaging in commercial activities designed to aid its government or military. OFAC, the Treasury’s enforcement body, prohibits North Korean-linked entities from operating within the United States.

This campaign is part of a broader strategy by North Korea to exploit the crypto ecosystem. The country’s cyber units have stolen billions in digital assets and dispatched thousands of IT professionals overseas to generate funds, efforts widely believed to support Pyongyang’s nuclear weapons program.