Key Takeaways
What started with ATM skimming and ransomware has morphed into something more insidious.
North Korean hackers aren’t just breaking into systems anymore — they’re building front companies on U.S. soil.
In a new campaign, hackers linked to North Korea’s Lazarus Group have quietly set up shell companies in the U.S. to run targeted malware attacks against crypto developers.
The end goal: steal private wallet keys, exfiltrate sensitive data, and keep funding the regime, all while skirting international sanctions.
According to cybersecurity firm Silent Push and documents reviewed by Reuters, at least two of these companies, Blocknovas LLC (New Mexico) and Softglide LLC (New York), were set up using fake identities and bogus U.S. addresses.
A third name, Angeloper Agency, was also linked to the campaign but doesn’t appear to be officially registered.
The researchers believe these entities are tied to a Lazarus Group sub-unit operating under North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB).
The FBI has since seized Blocknovas’s website, alleging it was used to distribute malware via fake job listings aimed at targeting developers in the crypto industry.
The Bureau did not immediately respond to a request for comment.
However, in a separate announcement, the FBI reaffirmed its focus on disrupting DPRK-linked cybercrime.
Silent Push says the scheme centered on fake job postings designed to lure in unsuspecting developers.
Once engaged, victims were sent files infected with malware that could access private keys, scan files, and install backdoors.
Blocknovas was the most active of the three fronts. It listed a South Carolina address, which turned out to be an empty lot.
Softglide used a tax prep office in Buffalo, New York. Neither of the businesses raised red flags with local registration offices.
These operations violate U.S. Treasury Department sanctions enforced by the Office of Foreign Assets Control (OFAC) and United Nations sanctions barring North Korean commercial ventures supporting its military or government.
North Korean hackers previously used the same malware strains in earlier cyber campaigns.
Silent Push said the tools could exfiltrate data, provide backdoor access, and deploy additional malicious code.
Crypto Ark experts said, “The use of shell companies and fake identities highlights the necessity for robust KYC practices. We must remain vigilant and prioritize cybersecurity to protect our ecosystem from malicious intent.“
This isn’t a new playbook — it’s just more evolved. North Korea’s Lazarus Group has been behind some of the biggest financial cyberattacks in the past decade. Here’s a quick look at some of their greatest hits:
With crypto markets still recovering from past exploits, the Lazarus Group’s evolving strategy is a warning: in Web3, the attack surface is bigger than ever — and some of it may be hiding behind a Delaware LLC.