North Korean Hackers Created U.S. Companies to Spread Malware to Crypto Developers, Researchers Say

North Korean cyber operatives established two businesses within the United States, violating Treasury Department sanctions, in an effort to spread malicious software to cryptocurrency developers, according to cybersecurity researchers and documents reviewed by Reuters. The firms, named Blocknovas LLC and Softglide LLC, were incorporated in New Mexico and New York respectively, using fabricated identities and addresses, researchers at the U.S.-based cybersecurity company Silent Push told Reuters. A third company, Angeloper Agency, is also associated with the operation but does not appear to have been formally registered in the United States.

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” said Kasey Best, Silent Push’s director of threat intelligence. The hackers involved belong to a subgroup within the Lazarus Group, an elite hacking unit under the Reconnaissance General Bureau, which is North Korea’s primary foreign intelligence service, according to Silent Push.

While the FBI declined to comment specifically about Blocknovas or Softglide, a seizure notice posted on Blocknovas’ website on Thursday confirmed that the domain had been seized "as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware." Ahead of this seizure, FBI officials had told Reuters that the bureau remains committed to “imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.” One FBI official further characterized North Korean cyber threats as “perhaps one of the most advanced persistent threats” currently confronting the United States.

North Korea’s mission to the United Nations in New York did not immediately reply to Reuters' request for comment. The tactics used in this campaign involved fake identities offering bogus job interviews, which then led to sophisticated malware being deployed to compromise the cryptocurrency wallets of developers, Best explained. In addition, the attackers targeted passwords and other credentials that could later be used to launch attacks against legitimate businesses, she said.

Silent Push was able to confirm multiple victims impacted by the campaign, particularly through Blocknovas, which researchers described as “by far the most active of the three front companies,” according to a report shared with Reuters prior to its official release. Reuters examined the registration documents for Blocknovas and Softglide, filed in New Mexico and New York respectively. However, Reuters was unable to locate the individuals named in those documents. Blocknovas’ registration listed an address in Warrenville, South Carolina, that Google Maps shows is an empty lot. Meanwhile, Softglide appeared to have been registered by a small tax office located in Buffalo, New York.

This activity underscores the ongoing evolution of North Korean operations aimed at targeting the cryptocurrency sector, part of a broader strategy to generate funding for the regime. Beyond hacking to steal foreign currency, North Korea has also deployed thousands of IT workers abroad to funnel millions of dollars back to finance its nuclear missile program, according to the United States, South Korea, and United Nations reports.

The creation of a North Korean-controlled company under the Reconnaissance General Bureau in the United States constitutes a clear violation of Office of Foreign Assets Control (OFAC) sanctions, which fall under the Treasury Department’s jurisdiction. It also breaches United Nations sanctions, which prohibit North Korean commercial activities intended to support the country’s government or military efforts.

The New York Department of State declined to comment when asked about the companies registered in its jurisdiction. Meanwhile, the New Mexico secretary of state’s office confirmed in an email to Reuters on Thursday that the company was registered through the state’s online Domestic LLC system. “The filing was in compliance with state statute, using a registered agent, and there would be no way our office would know its connection to North Korea,” a representative from the office said.

The hackers in this campaign attempted to infect applicants for fake jobs with at least three known strains of malware that have been previously attributed to North Korean cyber activities. According to Silent Push, the malware linked to this operation is capable of stealing sensitive information, facilitating deeper network access, and loading additional forms of malware onto compromised systems.

By fLEXI tEAM