Hackers linked to the Lazarus Group have created three fake cryptocurrency companies to spread malware among developers. Two of these were officially registered in the United States, according to cybersecurity firm Silent Push.
Fraudulent Firms and Fake Job Interviews
It was reported that the shell entities BlockNovas LLC and SoftGlide LLC were registered in New Mexico and New York, respectively. The third, Angeloper Agency, was not legally incorporated. The attacks were attributed to a Lazarus Group subdivision known as Contagious Interview.
The perpetrators used websites and subdomains like blocknovas[.]com and apply-blocknovas[.]site to lure crypto professionals under the guise of job recruitment. The primary goal was to install malware, gain access to wallets and login credentials, and use them for further attacks on legitimate companies.
According to Silent Push, the attackers created fake employee profiles generated using AI and used fictitious addresses to add legitimacy to the shell companies and build trust with potential job applicants.
Rise in Attacks Through Fake Job Offers
Lazarus Group has repeatedly used this tactic. In 2021, through a fake job offer, the hackers gained access to an employee of Sky Mavis, which led to the hacking of the Ronin bridge and the theft of $625 million in ETH and USDC. A year later, a similar attack on Horizon Bridge resulted in the theft of $100 million.
According to the UN and Chainalysis, Lazarus has stolen over $3 billion in cryptocurrencies since 2017. A significant portion of these funds was obtained through employment-related attacks.
Focus on Europe
Amid increasing scrutiny in the U.S., Lazarus is looking for vulnerabilities in other regions. According to Google Threat Intelligence Group (GTIG), North Korean developers using fake identities have increasingly sought employment in crypto companies in Europe and the UK. As explained by GTIG representative Jamie Collier, new labor rules in the U.S. have made access more difficult, prompting attackers to build a network of fake profiles to seek jobs in other countries.
GTIG notes that this attack vector is likely to grow, as the schemes remain effective and Europe’s digital infrastructure is less protected against such threats.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.