Silent Push researchers claim cyber spies from North Korea’s Lazarus Group, have set up U.S. shell companies under fake aliases to infect crypto developers with malware.
According to a recent Reuters report, U.S. cybersecurity company Silent Push has identified two shell companies that can be traced back to the North Korean hacker group. Researchers claimed that the two companies, Blocknovas LLC and Softglide LLC, were set up in New Mexico and New York respectively under fake personas and addresses.
Upon further inspection, Reuters found that the address listed for Blocknovas in Warrenville, South Carolina appeared as an empty lot on Google Maps. Meanwhile, Softglide’s address in Buffalo, New York was occupied by a small tax office. Moreover, the contact persons listed under the companies could not be found.
Director of threat intelligence at Silent Push, Kasey Best called it a “rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S.” He explained how the Lazarus Group hackers would seek to infect users through fake job applications with at least three strains of detected malware linked to North Korean cyber operations.
The malicious cyber attacks would use fake aliases to offer job interviews for prospective crypto or web3 developers, which would enable the hackers to deploy sophisticated malware designed to compromise the cryptocurrency wallets of developers.
“They also target the developers’ passwords and credentials which could be used to further attacks on legitimate businesses,” said Best.
The hackers behind these firms are allegedly part of a subgroup within the Lazarus Group, which is part of the Reconnaissance General Bureau, Pyongyang’s main foreign intelligence agency. Lazarus Group is known for being the actors behind some of the largest crypto hacks in history, including the most recent Bybit hack which resulted in losses of up to $1.5 billion.
When asked about these shell companies and their possible ties to the North Korean hacker group, the New York Department of State declined to comment on companies registered in the state. Meanwhile, the New Mexico secretary of state’s office told Reuters in an email that it has no way of knowing about the firm’s connection to North Korea.
On April 24, the FBI posted a domain seizure notice on the Blocknovas website, starting that “as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”
