North Korean Cyber Spies Set Up U.S. Businesses to Target Cryptocurrency Developers

By AJ Vicens, Anton Zverev and James Pearson

DETROIT/LONDON (Reuters) – Cybersecurity researchers revealed that North Korean cyber spies created two businesses in the U.S., violating Treasury sanctions, to infect cryptocurrency developers with malicious software.

The companies, Blocknovas LLC and Softglide LLC, were registered in New Mexico and New York using fake addresses and personas, according to researchers at Silent Push, a U.S. cybersecurity firm. A third entity, Angeloper Agency, is also linked but isn’t registered in the U.S.

Kasey Best, Silent Push’s threat intelligence director, noted, “This is a rare example of North Korean hackers setting up legal corporate entities in the U.S. to attack unsuspecting job applicants.”

These hackers belong to a subgroup within the Lazarus Group, North Korea’s elite hacking team under the Reconnaissance General Bureau, Pyongyang’s main foreign intelligence agency.

The FBI did not comment specifically on Blocknovas or Softglide. However, an FBI seizure notice indicated that the domain was taken as part of a law enforcement action against North Korean cyber actors employing fake job postings and distributing malware.

FBI officials highlighted that North Korean cyber operations are “one of the most advanced persistent threats” to the U.S.

North Korean attacks involve fake personas offering job interviews, leading to malware deployments that compromise developers’ cryptocurrency wallets and personal credentials for further attacks on legitimate businesses, Best explained.

Silent Push confirmed multiple victims of these attacks, particularly via Blocknovas, deemed the most active of the three front companies.

SANCTIONS

Reuters analyzed registration documents for Blocknovas and Softglide and found no trace of the individuals listed.

Blocknovas had a registered address in Warrenville, South Carolina, identified as an empty lot on Google Maps. Softglide appeared to have been registered by a small tax office in Buffalo, New York.

This activity highlights the continued North Korean targeting of the cryptocurrency sector to raise funds for its government.

Beyond hacking for foreign currency, North Korea has sent thousands of IT workers abroad to raise funds for its nuclear missile program, according to the U.S., South Korea, and the United Nations.

The existence of a North Korean-controlled company in the U.S. violates Office of Foreign Assets Control sanctions, which are part of the Treasury Department, and also breaches U.N. sanctions preventing North Korean activities benefitting its government or military.

The New York Department of State declined to comment on specific companies, while New Mexico officials stated that compliance with state statutes doesn’t reveal connections to North Korea.

The hackers aimed to infect job applicants with at least three strains of malware previously associated with North Korean cyber operations, which can steal information, grant network access, and load additional malware.