Hackers posed as tech recruiters in fake job interviews.
Malware used to steal crypto wallets and credentials.
Front firms traced to addresses in South Carolina and Buffalo.
North Korea’s covert cyberwarfare strategy has taken a new turn, with US federal investigators uncovering an elaborate crypto-related malware campaign run by front companies posing as legitimate tech recruiters.
According to a report published by Reuters on Friday, hackers aligned with the North Korean government created fake businesses to deploy malicious software targeting crypto developers.
The objective: steal digital assets and sensitive credentials while evading sanctions and scrutiny.
The FBI, in coordination with cybersecurity firm Silent Push, dismantled a key piece of this operation by seizing the web domain of one of the implicated entities, Blocknovas LLC.
The move marks a widening crackdown on state-sponsored cyber threats exploiting the crypto space.
Three front companies identified in North Korea-linked scam
At the centre of the operation were three companies—Blocknovas LLC, Softglide LLC, and Angeloper Agency—set up using falsified addresses in the US.
Blocknovas and Softglide were officially registered in New Mexico and New York, respectively, while Angeloper appeared to operate without any proper registration.
Public records reviewed by Reuters showed Blocknovas was registered to an empty plot in South Carolina, and Softglide’s paperwork was linked to a modest tax consultancy in Buffalo.
The FBI confirmed on Thursday that it had seized Blocknovas’ domain.
Silent Push identified it as the most active of the three entities, having already compromised multiple victims in the crypto space.
These companies were reportedly operated by cyber operatives tied to the Lazarus Group, a unit under North Korea’s Reconnaissance General Bureau.
This agency oversees many of Pyongyang’s foreign intelligence and hacking operations.
Malware deployed through fake job interviews
The technique employed was both deceptive and effective. According to the FBI and Silent Push, North Korean hackers posed as recruiters offering fake job interviews to unsuspecting crypto developers.
These developers, lured by lucrative offers, were eventually tricked into downloading malware.
Once installed, the malware provided attackers with access to crypto wallets and development environments, enabling unauthorised transactions and theft of confidential credentials.
The entire campaign appears designed not only to steal funds but also to enable deeper breaches into platforms that build or manage digital assets.
Such tactics are seen as an evolution of previous cyber operations linked to North Korea, where malware distribution and phishing attempts were mainly directed at exchanges and DeFi protocols.
Crypto crimes seen as key revenue stream for weapons programme
This malware campaign underscores North Korea’s growing reliance on cybercrime to finance its international ambitions.
UN reports and independent investigations have shown that the regime is increasingly turning to cryptocurrency theft as a means to fund its nuclear and ballistic missile programmes.
In 2022, the regime was linked to the infamous Axie Infinity hack, which resulted in over $600 million in losses.
More recently, it has been revealed that thousands of IT professionals have been sent abroad to work covertly for firms in return for crypto payments, which are then funnelled back into North Korea’s coffers.
All of these efforts directly violate sanctions imposed by the US Treasury’s Office of Foreign Assets Control (OFAC) and several United Nations resolutions aimed at curbing North Korea’s access to international funding channels.
As investigations continue, cybersecurity experts warn that more such front companies may exist and that developers and crypto firms must heighten their due diligence processes when approached with unsolicited job offers.
