North Korean hackers registered two companies in the US to attack cryptocurrency developers

North Korean hackers linked to the Lazarus group registered fake companies in the US to spread malware among cryptocurrency project developers.

The attackers created at least two companies with official American registration and used them as a cover for attacks, sending job offers to developers and impersonating interviews. Fake employee profiles were generated using AI, and blogs and social media pages were created for them.

Currently, each of the used company domains has an official closure notice from the FBI with a warning about the actions of North Korean hackers.

The campaign is attributed to the Contagious Interview division, which is part of the Lazarus hacker group. The goal was to gain access to cryptocurrency wallets and developer credentials, followed by an attack on the companies' infrastructure.

It was the tactic of fake job offers that led to the hacking of the Ronin bridge in 2021, when $625 million in ETH and USDC was withdrawn from the Axie Infinity game. According to the UN and Chainalysis, groups linked to North Korea have stolen over $3 billion in cryptocurrencies since 2017.