North Korea Develops Novel, More Sophisticated Methods to Target Crypto Industry

Journalist

Sead Fadilpašić

Journalist

Sead Fadilpašić

About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Author Profile

Share

Copied

Last updated: 

April 24, 2025

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

North Korean hackers have been developing fresh and increasingly sophisticated methods to steal crypto funds: Zoom meetings, hiding malware in GitHub and NPM packages, and establishing legal entities in the USA, to name just a few.

Registering an actual company is the rarest method among these, and it’s the most difficult one. Yet, researchers have found several instances of threat actors creating businesses in the US to attract crypto developers and spread a data-stealing code.

More specifically, according to researchers at the security firm Silent Push, they registered the companies Blocknovas LLC and Softglide LLC in New Mexico and New York using fake identities and addresses. The report has shared a list of the fake identities connected to the campaign.

The researchers have discovered another business, Angeloper Agency, which has connections to this scheme. However, this one doesn’t seem to be registered in the US. Of the three, Blocknovas is the most active front company, the report says.

Notably, Kasey Best, director of threat intelligence at Silent Push, was quoted by Reuters as saying that, “this is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants.”

Furthermore, this attack is similar – and may be linked – to the attempted data theft recently reported by a number of crypto industry insiders.

Nick Bax of the Security Alliance, shared last month that a threat group is working to steal data and funds through fake business calls on Zoom.

The attackers’ goal is ‘simple.’ Attract crypto developers and infect their devices with malicious software via a link they send during the interview. They may be pretending to experience technical issues, for example, and will ask the target to click on a link.

Bax said the threat group stole “$10s of millions of dollars” using this tactic, and others continue to copy it.

Contagious Interviews and Malicious JavaScript

Silent Push says that what it found is a new campaign. The entity behind it is the North Korean APT (advanced persistent threat) group ‘Contagious Interview.’ This is a subgroup of the notorious state-sponsored Lazarus Group.

Best told Reuters that the job interviews “lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers.” Also, they target the developers’ passwords and credentials, possibly to use them in “further attacks on legitimate businesses.”

Per the report, Silent Push confirmed “multiple victims” of the latest interview campaign.

However, the FBI has seized Blocknovas’ domain “as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”

The other two websites are still operational at the time of writing.

But this is not all. Another highly sophisticated line of attack is inserting malicious JavaScript into GitHub repositories and NPM packages.

Lazarus began this campaign in August 2024, stealing funds and data through supply chain attacks. Furthermore, this attack vector is evolving.

Notably, the malware, called Marstech1, targets popular crypto wallets. Various reports have named MetaMask, Exodus, and Atomic.

Cybersecurity company SecurityScorecard found 233 victims who installed the Marstech1 implant between September 2024 and January 2025.