North Korean Hackers Create Shell Companies to Target Crypto Developers

The notorious group has been involved in several heists, using sophisticated malware to steal funds for North Korea’s nuclear ambitions since 2007.

Ephraim Emmanuel

Last updated:

25 April 2025 @ 10:53 UTC

Why Trust CTW

CTW is a fresh voice in the world of cryptocurrency, offering clear and insightful coverage of the ever-evolving digital asset landscape. Backed by a team of passionate writers and crypto enthusiasts, we dive deep into market trends, emerging technologies, and innovative blockchain projects. We hope to become your go-to source for up-to-date information in this fast-paced industry.

North Korea’s Lazarus Group has reportedly set up two fake U.S. companies, Blocknovas LLC and Softglide LLC, to trick crypto developers into downloading malware. Posing as recruiters, the hackers used fake identities to launch attacks, which exposed loopholes in the crypto industry. The Lazarus Group is a state-sponsored hacking unit notorious for high-profile attacks that have targeted banks and crypto exchanges.

How They Operate

According to Reuters, North Korean hackers from the Lazarus Group registered Blocknovas LLC in New Mexico and Softglide LLC in New York using fabricated identities and addresses. Blocknovas listed an empty lot in South Carolina as its address, while Softglide was tied to a small tax office in Buffalo, New York. A third entity, Angeloper Agency, was linked to the malware attacks but is not registered in the U.S.

The hackers posed as recruiters, offering fake job interviews to crypto developers. The interviews were a trap to deliver malware, which stole developers’ crypto wallets, passwords, and credentials. Cybersecurity firm Silent Push called this a rare case of North Korean hackers legally setting up U.S. companies to carry out cyberattacks, confirming multiple victims, with Blocknovas being the most active.

The FBI seized Blocknovas’ domain, noting it was used to deceive people with fake job postings. These actions violate U.S. Treasury sanctions and U.N. measures aimed at stopping North Korea from funding its weapons programs through cybercrime.

Crypto Industry Faces Growing Threats

The attack highlights the crypto industry’s vulnerability to advanced cyber threats. North Korean hackers have stolen billions from crypto platforms, including $1.4 billion from Bybit in 2025, to fund their regime. The use of fake U.S. companies shows how hackers exploit trust in legitimate systems, making it harder for developers to spot scams.

Silent Push warns that such tactics could lead to more breaches, urging crypto firms to strengthen security. The FBI’s actions show a commitment to fighting these threats, but the crypto community must stay vigilant. Increased regulatory scrutiny and better cybersecurity measures remain critical to protect assets and maintain trust in the growing digital currency market

Crypto News