North Korean Hackers Used Fake U.S. Crypto Firms in Malware Scam

A North Korea-linked hacking group, part of the notorious Lazarus Group, has launched a new cyber campaign targeting cryptocurrency developers through fake consulting firms.

Cybersecurity firm Silent Push revealed that the hackers created three front companies—BlockNovas, Angeloper Agency, and SoftGlide—with two officially registered in the U.S.

Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies…🧵

— Zach Edwards (@thezedwards) April 24, 2025

The group, dubbed Contagious Interview, uses fake job postings to lure developers into malware traps disguised as interview processes.

Victims are asked to submit an introduction video, triggering a fake error that instructs them to run a command, unknowingly installing malware.

Tools like BeaverTail, InvisibleFerret, and OtterCookie are used to steal sensitive data, including crypto wallet credentials.

The hackers employ AI-generated images and stolen photos to create fake employee profiles, adding legitimacy to their scheme.

Platforms like GitHub and freelance job boards are being exploited to find new victims.

Silent Push confirmed at least two developers were targeted, one of whom had their MetaMask wallet compromised.

The FBI has seized BlockNovas’ domain, but other parts of the network remain active.

This is the latest in a series of crypto attacks linked to North Korea, including the $600 million Ronin bridge hack and a $1.4 billion breach at Bybit.

About The Author