Meet the Top 101 in Crypto
News
4 min read

Lazarus Group Slips Through US Business Systems With Fake LLCs To Spread Malware

Published 25 April 2025
Giuseppe Ciccomascolo
Authors

Key Takeaways

  • North Korean hackers set up fake U.S. companies to target crypto developers.
  • They used fake job offers to trick victims into downloading malware.
  • The Lazarus Group has stolen over $3 billion in digital assets to date.

What started with ATM skimming and ransomware has morphed into something more insidious.

North Korean hackers aren’t just breaking into systems anymore — they’re building front companies on U.S. soil.

In a new campaign, hackers linked to North Korea’s Lazarus Group have quietly set up shell companies in the U.S. to run targeted malware attacks against crypto developers.

The end goal: steal private wallet keys, exfiltrate sensitive data, and keep funding the regime, all while skirting international sanctions.

Fake Startups, Real Attacks

According to cybersecurity firm Silent Push and documents reviewed by Reuters, at least two of these companies, Blocknovas LLC (New Mexico) and Softglide LLC (New York), were set up using fake identities and bogus U.S. addresses.

A third name, Angeloper Agency, was also linked to the campaign but doesn’t appear to be officially registered.

The researchers believe these entities are tied to a Lazarus Group sub-unit operating under North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB).

The FBI has since seized Blocknovas’s website, alleging it was used to distribute malware via fake job listings aimed at targeting developers in the crypto industry.

The Bureau did not immediately respond to a request for comment.

However, in a separate announcement, the FBI reaffirmed its focus on disrupting DPRK-linked cybercrime.

The Bait: Job Offers That Come With Malware

Silent Push says the scheme centered on fake job postings designed to lure in unsuspecting developers.

Once engaged, victims were sent files infected with malware that could access private keys, scan files, and install backdoors.

Blocknovas was the most active of the three fronts. It listed a South Carolina address, which turned out to be an empty lot.

Softglide used a tax prep office in Buffalo, New York. Neither of the businesses raised red flags with local registration offices.

These operations violate U.S. Treasury Department sanctions enforced by the Office of Foreign Assets Control (OFAC) and United Nations sanctions barring North Korean commercial ventures supporting its military or government.

North Korean hackers previously used the same malware strains in earlier cyber campaigns.

Silent Push said the tools could exfiltrate data, provide backdoor access, and deploy additional malicious code.

Crypto Ark experts said, “The use of shell companies and fake identities highlights the necessity for robust KYC practices. We must remain vigilant and prioritize cybersecurity to protect our ecosystem from malicious intent.

The Lazarus Group’s Track Record

This isn’t a new playbook — it’s just more evolved. North Korea’s Lazarus Group has been behind some of the biggest financial cyberattacks in the past decade. Here’s a quick look at some of their greatest hits:

  • 2016 – Bangladesh Bank Heist: $81M stolen via SWIFT
  • 2020 – KuCoin Hack: ~$275M in crypto drained from hot wallets
  • 2022 – Ronin Bridge Hack: ~$625M from Axie Infinity
  • 2023 – Atomic Wallet Breach: ~$100M lost
  • 2024 – Stake.com & CoinEx Hacks: Combined ~$124M
  • 2024 – Bybit: $1.4B stolen.
  • 2025 – Blocknovas/Softglide: Malware attacks, less about instant profit, more about long-term infiltration

With crypto markets still recovering from past exploits, the Lazarus Group’s evolving strategy is a warning: in Web3, the attack surface is bigger than ever — and some of it may be hiding behind a Delaware LLC.

Giuseppe Ciccomascolo

Giuseppe Ciccomascolo began his career as an investigative journalist in Italy, where he contributed to both local and national newspapers, focusing on various financial sectors.

Upon relocating to London, he worked as an analyst for Fitch's CapitalStructure and later as a Senior Reporter for Alliance News. In 2017, Giuseppe transitioned to covering cryptocurrency-related news, producing documentaries and articles on Bitcoin and other emerging digital currencies. He also played a pivotal role in establishing the academy for a cryptocurrency exchange website. Crypto remained his primary area of interest throughout his tenure as a writer for ThirdFloor.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status