North Korean hackers recently set up two shell companies in the U.S. specifically to target cryptocurrency developers. These hackers are linked to the Lazarus Group, using fake job postings to lure 'interviewees' into installing and deploying malware, in violation of U.S. sanctions and exposing vulnerabilities in the U.S. business registration system.
Inducing attack software under the guise of recruitment
Cybersecurity company Silent Push found that hackers established two companies, Blocknovas LLC and Softglide LLC, using fake names, fake addresses, and fake documents. They pretended to be legitimate employers and contacted developers through platforms like LinkedIn. Once developers were hooked, they were induced to download malware disguised as recruiting software or technical assessments.
The most active company among them is Blocknovas, which has already had many victims. Their registered physical address in South Carolina turned out to be a virtual address. Softglide, on the other hand, is registered through a tax service company based in Buffalo, making it harder to trace the masterminds behind it.
The third entity, Angeloper Agency, is also related to this activity but has not yet been registered in North Korea. The malware used by these companies includes strains previously attributed to North Korean cyber forces, capable of stealing data, remote access, and further network infiltration.
Beware of malware traps
Currently, the FBI has seized the domain name of Blocknovas and issued a notice on its website stating that the domain was used to deceive job seekers and spread malware. Softglide is registered through a tax service company based in Buffalo, further complicating the tracking of the masterminds behind it.
It is reported that the Lazarus Group had previously used similar methods to launch a cyber attack campaign called 'ClickFix', targeting job seekers in the centralized finance (CeFi) and cryptocurrency sectors.
Cybersecurity company Sekoia recently disclosed that this group impersonated companies like Coinbase and Tether to lure marketing and business job seekers into attending fake interviews.
One of the largest cryptocurrency thefts by the Lazarus Group occurred in 2022 when a fake job invitation led to the hacking of Axie Infinity's Ronin Bridge, resulting in losses of up to $625 million.
Conclusion:
North Korean hackers' series of attacks on cryptocurrency developers not only violate U.S. sanctions but also expose vulnerabilities in the U.S. business registration system.
Although the hackers' actions have been somewhat curtailed with the FBI's involvement and the domain seizure, cybersecurity challenges remain serious.
In the future, how to more effectively prevent such cyber attacks and protect the interests of developers and investors will be a common issue that the global cybersecurity community needs to face.
What do you think about North Korean hackers exploiting vulnerabilities in U.S. business registration to carry out cyber attacks? Have you encountered similar phishing activities? Leave a comment in the discussion!