North Korean Hackers Deploy Custom Malware Through Fake Crypto Job Interviews

TLDR

Table of Contents

North Korean hackers created legitimate US business entities (Blocknovas, Softglide, Angeloper) to target crypto developers
The scheme uses fake job postings and interviews to trick victims into downloading malware
Researchers identified three malware types designed to steal crypto wallet information
AI-generated photos were used to create convincing fake employee profiles
The FBI has seized one domain but others remain active

Security researchers have uncovered a deceptive campaign by North Korean hackers who established legitimate business entities in the United States to target cryptocurrency developers. This advanced operation, revealed by cybersecurity firm Silent Push, demonstrates a concerning evolution in tactics used by state-sponsored threat actors.

The hackers, linked to a subgroup of the notorious Lazarus Group called “Contagious Interview,” created at least three front companies: Blocknovas, Softglide, and Angeloper Agency. These entities were legally registered in New York and New Mexico using fraudulent identities and addresses.

This marks an unusual development in North Korean hacking operations. “These hackers actually managed to set up legal corporate entities in the US to create fronts used to attack unsuspecting job applicants,” explained Kasey Best from Silent Push.

The Deceptive Recruitment Process

The attackers created believable corporate websites and profiles on job platforms to advertise positions targeting cryptocurrency developers. They used both AI-generated images and modified photos of real people to create convincing fake employee profiles.

When developers applied for these positions, they entered a carefully designed trap. During the interview process, candidates encountered technical “issues” that required them to perform specific actions on their computers.

“During the job application process an error message is displayed as someone tries to record an introduction video,” explained Zach Edwards, senior threat analyst at Silent Push. “The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process.”

This social engineering tactic proved effective against multiple victims. The researchers found that at least one target had their MetaMask cryptocurrency wallet compromised, potentially resulting in financial losses.

The scheme primarily focused on technical roles within the blockchain industry. The hackers looked for victims on GitHub job listings and freelancer websites, targeting those with access to valuable cryptocurrency assets or systems.

Advanced Malware Arsenal

The operation deployed three sophisticated malware strains previously linked to North Korean cyber units: BeaverTail, InvisibleFerret, and Otter Cookie. Each serves a specific purpose in the attack chain.

BeaverTail functions as an initial access tool that can steal information and load additional malware. OtterCookie and InvisibleFerret focus on extracting sensitive data, with a particular emphasis on cryptocurrency wallet keys and clipboard information.

Once installed, these programs provide remote access to infected systems and can serve as entry points for additional spyware or ransomware. The comprehensive approach allows hackers to monitor victim activities and potentially steal cryptocurrency directly.

Silent Push researchers found that Blocknovas was the most active of the three front companies. Investigation revealed its listed South Carolina address was actually an empty lot, while Softglide was registered through a tax office in Buffalo, New York.

Ongoing Threat and Response

The FBI has taken action against at least one component of this operation. The bureau seized the Blocknovas domain, posting a notice stating it was taken down “as part of a law enforcement action against North Korean cyber actors who utilised this domain to deceive individuals with fake job postings and distribute malware.”

However, other elements of the infrastructure remain active. “Softglide is still live, along with some of their other infrastructure,” according to security researchers.

This campaign has been active since early 2024 and represents just one facet of North Korea’s cyber operations targeting the cryptocurrency industry. The Lazarus Group is suspected in major cryptocurrency heists, including the Bybit $1.4 billion hack and the $600 million Ronin network breach.

In March, at least three cryptocurrency founders reported foiling similar attempts by suspected North Korean hackers using fake Zoom calls to steal sensitive data. This suggests these threat actors continuously refine their methods as awareness increases.

Security experts advise cryptocurrency developers to exercise extreme caution when applying for jobs, particularly those that require downloading specialized software or performing unusual actions during the application process.

Stay Ahead of the Market with Benzinga Pro!

Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders: