North Korean Hackers Created Fake US Companies to Trap Crypto Developer

Highlights:

• North Korean hackers used fake job offers to target cryptocurrency developers with malware.
• Lazarus Group created fake consulting firms using AI-generated profiles for their attacks.
• Hackers employed malware like BeaverTail and Otter Cookie to steal sensitive crypto data.

North Korean hackers broke into U.S. company systems to spread malware targeting cryptocurrency developers, according to a report by cybersecurity firm Silent Push. The cyber espionage group “Contagious Interview,” a subgroup of the North Korea-linked Lazarus organization, is behind the scheme. They set up fake crypto consulting firms to lure developers and steal their crypto wallets.

BlockNovas, Angeloper Agency, and SoftGlide spread malware by pretending to hold job interviews. BlockNovas LLC was registered in New Mexico, and SoftGlide LLC was registered in New York. A third group called Angeloper Agency was also connected to the campaign, but it isn’t officially registered in the U.S.

Researchers said the hackers used fake names and addresses to set up these companies. They also used AI-generated employee profiles to make the fake companies look more real.

In a post on X, Senior threat analyst at Silent Push, Zach Edwards, stated:

“In one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image.”

Fake Job Offers Used to Hack Crypto Developers

Edwards explained that the attackers set up websites and numerous accounts on job platforms to deceive users into applying for fake positions. When someone tries to record an introduction video during the job application, an error message pops up. The fake companies offer a quick and easy fix for the error, asking the person to copy and paste something but if the developer does it, it installs malware on their computer.

Silent Push says the hackers are using three types of malware called BeaverTail, InvisibleFerret, and Otter Cookie. BeaverTail is a type of malware mainly used to steal information and bring in more malware. OtterCookie and InvisibleFerret focus on stealing sensitive data, like crypto wallet keys and anything copied to the clipboard.

Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies…🧵

— Zach Edwards (@thezedwards) April 24, 2025

As per the report, hackers search for victims through GitHub job listings and freelancer websites, among other places. The malware campaign has been running since last year, with known victims. Silent Push found two targeted developers, one losing their MetaMask wallet. The FBI shut down the Blocknovas domain, but Softglide and other systems are still active.

North Korea’s Cybercrime Attacks on Cryptocurrency Firms

The Lazarus Group is a North Korean-backed cybercrime organization. They often use fake job ads to spread malware. They mainly target crypto firms to steal funds and sensitive data. One of the most infamous incidents was the 2021 Axie Infinity Ronin Bridge hack.

A fake job offer compromised a Sky Mavis employee, allowing Lazarus to steal $625 million in ETH and USDC. Hackers launched another major attack in 2022. They used similar tactics in the Horizon Bridge hack. The attack led to a $100 million theft from Harmony’s systems.