# North Korean Hackers Exposed: Scamming Crypto Devs with Shell Companies

In a shocking revelation, cybersecurity experts have uncovered a complex scheme involving North Korean hackers who set up three shell companies to scam unsuspecting crypto developers. The ruse, masterminded by the Lazarus Group, involves fake job interviews, AI-generated images, and malware designed to steal sensitive information.

## A Web of Deception

According to Silent Push senior threat analyst Zach Edwards, two subgroups of the North Korean hacker organization have set up three shell companies in the United States: BlockNovas, Angeloper Agency, and SoftGlide. These seemingly legitimate crypto consulting firms are being used by the Contagious Interview group to distribute malware through fake job interviews.

## How It Works

The scam begins when potential victims search for job opportunities on hiring websites or freelance platforms like GitHub. The hackers then use AI-generated images to create profiles of employees for the three front crypto companies, complete with stolen images of real people. These fake employees and images are used across the network to impersonate legitimate developers.

## Malware and Threats

The malware campaign involves three strains: BeaverTail, InvisibleFerret, and Otter Cookie. BeaverTail is primarily designed for information theft and loads further stages of malware. OtterCookie and InvisibleFerret mainly target sensitive information, including crypto wallet keys and clipboard data.

## The FBI Takes Action

In a significant development, the FBI has shut down at least one of the shell companies: Blocknovas. However, SoftGlide remains live, along with some of their other infrastructure. Edwards noted that there are known public victims, including two developers who have been targeted by the campaign.

## A Pattern of Deception

This malware campaign has been ongoing since 2024 and is part of a larger pattern of deception. Groups like the Lazarus Group have been linked to some of the biggest cyber thefts in Web3, including the Bybit $1.4 billion hack and the $600 million Ronin network hack.

## A Cautionary Tale

As Edwards warned, "There are numerous fake employees and stolen images from real people being used across this network." This highlights the importance of staying vigilant and verifying the authenticity of job opportunities and professional profiles online.

Stay safe online, and stay informed!

HACKER_BLOG

NORTH KOREAN HACKERS SET UP 3 SHELL COMPANIES TO SCAM CRYPTO DEVS