{"id":127943,"date":"2025-04-25T07:21:21","date_gmt":"2025-04-25T07:21:21","guid":{"rendered":"http:\/\/cryptospotters.net\/?p=127943"},"modified":"2025-04-25T07:21:21","modified_gmt":"2025-04-25T07:21:21","slug":"north-korean-hackers-set-up-3-shell-companies-to-scam-crypto-devs","status":"publish","type":"post","link":"http:\/\/cryptospotters.net\/?p=127943","title":{"rendered":"North Korean hackers set up 3 shell companies to scam crypto devs"},"content":{"rendered":"<p>Source: Cointelegraph.com NewsA subgroup of the North Korea-linked hacker organization Lazarus set up three shell companies, two in the United States, to deliver malware to unsuspecting users.<br \/>\nThe three sham crypto consulting firms \u2014 BlockNovas, Angeloper Agency and SoftGlide \u2014 are being used by the North Korean hacker group Contagious Interview to distribute malware through fake job interviews, Silent Push threat analysts said in an April 24 report.<br \/>\nSilent Push senior threat analyst Zach Edwards said in an April 24 statement to X that two shell companies are registered as legitimate businesses in the US.<br \/>\n\u201cThese websites and a huge network of accounts on hiring \/ recruiting websites are being used to trick people into applying for jobs,\u201d he said.<br \/>\n\u201cDuring the job application process an error message is displayed as someone tries to record an introduction video. The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process.\u201d<br \/>\nDuring the sham job interview, an error message is displayed, requiring the user to click, copy, and paste to fix it, which leads to the malware infection. Source: Zach EdwardsThree strains of malware \u2014  BeaverTail, InvisibleFerret and Otter Cookie \u2014 are being used according to Silent Push.<br \/>\nBeaverTail is malware primarily designed for information theft and to load further stages of malware. OtterCookie and InvisibleFerret mainly target sensitive information, including crypto wallet keys and clipboard data.<br \/>\nSilent Push analysts said in the report that hackers use GitHub job listing&#8217;s and freelancer websites to look for victims, among others.<br \/>\nAI used to create fake employees\u00a0<br \/>\nThe ruse also involves the hackers using AI-generated images to create profiles of employees for the three front crypto companies and stealing images of real people.<br \/>\n\u201cThere are numerous fake employees and stolen images from real people being used across this network. We\u2019ve documented some of the obvious fakes and stolen images, but it\u2019s very important to appreciate that the impersonation efforts from this campaign are different,\u201d Edwards said.<br \/>\n\u201cIn one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image.\u201d<br \/>\nRelated: Fake Zoom malware steals crypto while it\u2019s \u2018stuck\u2019 loading, user warns<br \/>\nThis malware campaign has been ongoing since 2024. Edwards says there are known public victims.<br \/>\nSilent Push identified two developers targeted by the campaign; one of them reportedly had their MetaMask wallet compromised.<br \/>\nThe FBI has since shut down at least one of the companies.<br \/>\n\u201cThe Federal Bureau of Investigation (FBI) acquired the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure,\u201d Edwards said.<br \/>\nSource: Zach EdwardsAt least three crypto founders have reported in March that they foiled an attempt from alleged North Korean hackers to steal sensitive data through fake Zoom calls.<br \/>\nGroups such as the Lazarus Group are the prime suspects in some of the biggest cyber thefts in Web3, including the Bybit $1.4 billion hack and the $600 million Ronin network hack.<br \/>\nMagazine: Lazarus Group\u2019s favorite exploit revealed \u2014 Crypto hacks analysis<a href=\"https:\/\/cointelegraph.com\/news\/lazarus-set-up-us-shell-companies-scam-crypto-devs?utm_source=rss_feed&amp;utm_medium=rss&amp;utm_campaign=rss_partner_inbound\" target=\"_blank\" class=\"feedzy-rss-link-icon\" rel=\"noopener\">Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Source: Cointelegraph.com NewsA subgroup of the North Korea-linked hacker organization Lazarus set up three shell companies, two in the United States, to deliver malware to unsuspecting users. The three sham&hellip; <\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/127943"}],"collection":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=127943"}],"version-history":[{"count":0,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/127943\/revisions"}],"wp:attachment":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=127943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=127943"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=127943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}