North Korean Hacker Group Lazarus Expands its Cybercriminal Operations
The group of North Korean hackers, Lazarus, continues to innovate in its cybercriminal operations. According to an investigation published by Silent Push, one of its subdivisions, called Contagious Interview, has created three dummy companies to distribute malware targeting developers in the crypto sector. Two of these entities, BlockNovas LLC (registered in New Mexico) and SoftGlide LLC (in New York), were officially registered in the United States, while a third, Angeloper Agency, operated without legal presence in the US.
These fictitious structures were used as a front for deploying a sophisticated campaign based on fake job interviews. The objective was to attract crypto developers with enticing job offers in order to install malicious software on their systems.
A Formidable Social Engineering Strategy
Researchers reveal that the hackers used invented identities, fictional addresses, and AI-generated employee profiles to lend credibility to their companies. Domains like blocknovas[.]com or apply-blocknovas[.]site were used to host the fake job offers and lure victims. Once trust was established, the malware allowed access to the victims’ crypto wallets and the retrieval of credentials and sensitive data.
This strategy is reminiscent of previous operations carried out by the Lazarus group. In 2021, the hacking of Axie Infinity’s Ronin Bridge cost Sky Mavis $625 million after an employee was tricked by a fake job offer. In 2022, Harmony’s Horizon Bridge suffered a similar attack resulting in a loss of $100 million.
Lazarus: A Persistent Threat to the Crypto Ecosystem
Since 2017, attacks orchestrated by Lazarus have reportedly diverted over $3 billion in cryptocurrency, according to estimates from the United Nations and Chainalysis. Campaigns based on fake job offers represent a significant portion of these cyberattacks, demonstrating the effectiveness of well-orchestrated social engineering.
Faced with these increasingly elaborate tactics, vigilance remains essential for developers and web3 companies. The illusion of a professional interview should never overshadow basic verifications, such as the interlocutor’s identity, the domain used, and the origin of received files. Meanwhile, the North Korean arsenal continues to grow as the line between state espionage and cybercriminal activities blurs.
