Crypto Developers Tricked by Shell Companies Tied to North Korean Hackers
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
According to an April 24 report by Silent Push, North Korean hackers linked to the Lazarus group have been tricking crypto developers into downloading damaging malware.
The cybercriminals posed as three shell companies to lure victims with fraudulent job listings before infecting their devices with data-stealing malware.
How Fake Job Interviews Trap Developers in Malware Attacks
Using legal corporate fronts, the hackers sidestepped scrutiny and violated U.S. Treasury Office of Foreign Assets Control and United Nations sanctions. The fictitious firms used were Blocknovas LLC, Softglide LLC, and Angeloper Agency.
Silent Push added that the campaign has been active since 2024, confirming multiple victims, including a developer whose MetaMask wallet was compromised.
The operation follows a familiar but dangerous pattern.
First, they post fake job listings on GitHub and freelance platforms under names like Blocknovas LLC and Softglide LLC.
They use AI-generated headshots and subtly alter stolen images to lend credibility to fake profiles.
When applicants respond to the job ad, they request an introduction video.
During this process, they trigger a fake “error” message instructing victims to copy and paste a supposed “fix.”
This action installs malware such as BeaverTail, which steals data and delivers additional payloads. In other instances, it installs InvisibleFerret and OtterCookie, which harvest crypto-wallet keys and clipboard data.
The Federal Bureau of Investigation (FBI) has seized the Blocknovas domain to disrupt the scheme, but the Softglide and other infrastructure remain online.
Yesterday, the Federal Bureau of Investigation (FBI) acquired the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure.
— Zach Edwards (@thezedwards) April 24, 2025
Crypto job scams keep evolving. Last year, a fake Web3 company called ChainSeeker.io tricked job applicants into downloading malware embedded in its proprietary “GrassCall” app, which drained their crypto wallets.
Job scammers have also impersonated reputable crypto firms such as Gemini and Kraken, offering $250K salaries before demanding “training fees” in crypto.
Recent Exploits by North Korea’s State-Backed Lazarus Group
Silent Push analysts attribute the recent campaign to “Contagious Interview,” a subgroup of Lazarus under North Korea’s Reconnaissance General Bureau.
The “Contagious Interview” is part of a broader effort by the North Korea-backed Lazarus group to fund its nuclear and military agendas. The group has a history of high-profile attacks in the crypto sector, including the most recent theft of $1.4 billion from Bybit in 2025.
The FBI labels North Korean cyber operations among the most advanced persistent threats facing the U.S. and relentlessly pursues anyone who aids them.
In March, at least three crypto founders blocked North Korean hackers who lured them into fake Zoom calls and tricked them into installing malware disguised as audio patches.
White hat hacker Nick Bax explained how attackers stage audio failures, redirect targets to bogus meeting links, and push malicious “fixes.”
Targets included leaders from Stably, Mon Protocol, and Etherisc. One victim installed the malware but avoided entering credentials.
Similarly, OKX suspended its DEX aggregator after consulting with regulators to tighten security and correct incomplete blockchain tagging.
The move addressed media criticism amid failed Lazarus attempts to exploit its DeFi services, as well as allegations that $100 million of stolen Bybit funds passed through its Web3 platform.
