- Hackers posed as tech recruiters in fake job interviews.
- Malware programs were used to steal cryptocurrencies and credentials.
- Front companies listed addresses in South Carolina and Buffalo.
A covert North Korean cyberwarfare campaign has taken a new turn, with U.S. federal investigators revealing an elaborate cryptocurrency-related malware operation run through shell companies that posed as legitimate tech recruiters.
According to a report published by Reuters, North Korea-aligned hackers created sham businesses to distribute malicious software targeting crypto developers.
The goal was to steal digital assets and sensitive credentials while evading sanctions and oversight.
The FBI, working with cybersecurity firm Silent Push, disrupted a key element of the operation by seizing the web domain of one of the entities, Blocknovas LLC.
The action represents an increasing crackdown on state-sponsored cyberthreats that exploit the cryptocurrency space.
Three shell companies identified in the North Korea-linked scam
At the center of the operation were three companies—Blocknovas LLC, Softglide LLC and Angeloper Agency—established using falsified U.S. addresses.
Blocknovas and Softglide were officially registered in New Mexico and New York, respectively, while Angeloper appeared to operate without proper registration.
Public records reviewed by Reuters showed Blocknovas listed an empty lot in South Carolina as its address, and Softglide’s paperwork pointed to a small tax consultancy in Buffalo.
The FBI confirmed it seized Blocknovas’ domain.
Silent Push identified Blocknovas as the most active of the three entities, linking it to multiple compromised victims in the crypto sector.
Investigators say these companies were likely operated by cyber agents associated with the Lazarus Group, a unit under North Korea’s Reconnaissance General Bureau.
That agency oversees many of the regime’s foreign intelligence and hacking operations.
Malware delivered through fake job interviews
The technique was both deceptive and effective. According to the FBI and Silent Push, North Korean hackers impersonated recruiters and conducted fake interviews with unwitting crypto developers.
Enticed by attractive job offers, those developers were ultimately tricked into downloading malicious software.
Once installed, the malware gave attackers access to crypto wallets and development environments, enabling unauthorized transactions and the theft of sensitive credentials.
The campaign appears designed not only to steal funds, but also to enable deeper intrusions into platforms that build or manage digital assets.
These tactics represent an evolution from earlier North Korea-linked operations, which primarily targeted exchanges and DeFi protocols through malware distribution and phishing.
Crypto crime as a key revenue stream for weapons programs
This malware campaign underscores North Korea’s growing reliance on cybercrime to fund its international ambitions.
UN reports and independent investigations have shown the regime increasingly turns to cryptocurrency theft to finance its nuclear and ballistic missile programs.
In 2022, the regime was tied to the notorious Axie Infinity hack that resulted in losses exceeding $600 million.
More recently, investigators revealed that thousands of IT professionals have been sent abroad to work covertly for firms in exchange for crypto payments, which are then funneled back to North Korea’s coffers.
These efforts directly violate sanctions imposed by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and multiple United Nations resolutions aimed at restricting North Korea’s access to international financing channels.
As investigations continue, cybersecurity experts warn additional shell companies may be operating and urge developers and crypto firms to strengthen due diligence when approached with unsolicited job offers.