A new report has claimed there is a North Korean cyber operation involving the creation of fake companies within the United States. The strategy was to gain access to the cryptocurrency market by using fake employment opportunities to lure in malware developers. The perpetrators managed to secure corporate shells with legal registrations as well as utilize sophisticated social engineering techniques, allowing them to cloak their true identities behind American businesses. As Silent Push states, these criminals were able to deliver undiscovered until the FBI stepped in. The Japanese Times credits Silent Push with these details, bringing new findings about evolving threats.
Corporate Fronts and Deceptive Lures
As reported by Silent Push, these operations detailed the formation of Blocknovas and Softglide. Both were legally registered as businesses within the United States’ New Mexico and New York states. Registration claimed to use addresses along with names that were completely fictitious and tailored specifically to bypass existing Treasury sanctions, evading outstanding restrictions.
As a matter of fact, these entities served as elaborate decoys meant to ensnare unsuspecting cryptocurrency developers and, in no way, acted as bona fide businesses. Blocknovas, acting as the more active of the two firms, burst into the scheme. They filed an alleged address that purportedly belonged to South Carolina, only for it to be found as an empty plot of land. Moreover, paperwork concerning Softglide was allegedly traced back to a tax office in Buffalo, which serves to further show how their claimed locations and operations were completely fictitious.
The Modus Operandi: Real Threats
The companies fabricated these documents for the purpose of being impersonated in some sophisticated cyberspace scheme believed to be operated by a faction from the infamous Lazarus Group. This is a well-known state-sponsored cyber division operated by North Korea’s Reconnaissance General Bureau—the primary intelligence agency of North Korea. The fraudsters used these documents to create fake profiles on job search sites and post fake job openings to lure their intended victims, including cryptocurrency developers from LinkedIn. In advance mock interviews, attendees were coerced into downloading multiple files without their consent.
These files were deceptively camouflaged as standard application submissions or onboarding files. However, in them, embedded malware of great sophistication lurked. The malware installed on systems was capable of stealing confidential information, creating backdoor access to the users’ systems, and preparing for more severe future attacks involving sophisticated spyware, ransomware, or other forms of cyber espionage. According to reports by Silent Push, at least three different strains of North Korean malware were employed in this operation, which suggests a well-funded, prepared, and advanced adversary.
FBI Takes Action
As a result of this cyber activity, law enforcement authorities at the federal level took some action. Federal agents were able to take control over the internet domain attributed to Blocknovas. The justification put forth was the domain’s established role in distributing malware as part of hacking campaigns. There is now a notice on the Blocknovas webpage that essentially confirms this action by the FBI and declares it as part of a larger, ongoing law enforcement cyber campaign aimed openly at North Korean designators.
Despite the lack of explicit commentary from the FBI pertaining to the specific companies related to this case, the agency has publicly underlined its unyielding focus on revealing and prosecuting the cybercrime operations of the Democratic People’s Republic of Korea (DPRK). This highlights the emphasis given to countering state-sponsored cyber malicious activities against U.S. interests and U.S. nationals.
Strategic Violations Motivation
The infiltration of the United States for the purposes of establishing fake companies to perpetrate cyberattacks is unauthorized under United States law, as well as in breach of current UN sanctions. It is prohibited for the North Korean government to engage in commercial activities that are purportedly intended to give financial or material resources to its regime or military. The Office of Foreign Assets Control (OFAC) also freezes the North Korean-linked entities in the South Korean jurisdiction. The malware spreading scheme focused at the crypto industry is only a fraction of stalemated malware exploitation strategies that North Korea is running towards the crypto economy system. It has been reported by many sources that North Korean cyber units attempted to steal digital assets estimated at several billion dollars. To this day, the regime employs thousands of IT specialists overseas for the only purpose of remitting foreign currencies through illegal means. Such cyber operations to defraud funds and revenues from internationally accepted financial transactions are believed by many countries to fund the so-called ‘government’ of North Korea, especially to support their illegal activities concerning weapons, particularly nuclear weapons advancements.
The observed employment of apparently legitimate U.S.-based businesses marks a significant and troubling evolution in their operational strategy, enabling them to function in proximity to their objectives and increasing the likelihood of avoiding detection for extended intervals.
