News

North Korean spies create U.S. businesses to target crypto developers

Published

4 hours ago

April 25, 2025

North Korean spies set up fake U.S. firms to target crypto developers, breaching U.S. sanctions, using malware-laden job offers to infiltrate the industry.

North Korean cyber operatives have reportedly established two businesses in the United States to infiltrate the cryptocurrency industry, violating U.S. Treasury sanctions.

The companies, Blocknovas LLC and Softglide LLC, according to Reuters, were registered in New Mexico and New York using fake identities and addresses, U.S. cybersecurity firm Silent Push revealed. A third entity, Angeloper Agency, was linked to the operation but does not appear to have been officially registered in the U.S.

These businesses were allegedly part of a cyber campaign orchestrated by a subgroup within the Lazarus Group, an elite hacking unit operating under North Korea’s Reconnaissance General Bureau (RGB), Pyongyang’s main foreign intelligence agency. Silent Push researchers found that the companies were used to distribute malware to cryptocurrency developers through deceptive job postings.

While the FBI declined to comment directly on Blocknovas and Softglide, a seizure notice posted on Blocknovas’ website confirmed the agency had taken control of the domain. The notice stated that the domain was used by what they termed ‘North Korean Cyber Actors’ to mislead individuals with fraudulent job offers, ultimately distributing malware to them.

Reuters, however, confirmed that ahead of the seizure, the FBI told them that the bureau continues to focus on imposing risks and consequences not only on the DPRK actors themselves but also on anybody who is facilitating their ability to conduct these schemes.”

An examination of the registration documents for Blocknovas and Softglide in New Mexico and New York revealed irregularities, with investigators unable to locate the individuals listed in the filings.

Blocknova’s registered address in Warrenville, South Carolina, was found to be an empty lot, while Softglide was registered through a small tax office in Buffalo, New York. These findings suggest that the entities were set up under false pretenses, likely to conceal their true operators.

By establishing these businesses, North Korean cyber operatives violated sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC), which is part of the Treasury Department. The United Nations also prohibits North Korean commercial activity that could support the country’s government or military.

The Lazarus Group has been linked to major cyber heists, including cryptocurrency thefts amounting to billions of dollars, funds rumored to have been used to finance North Korea’s nuclear weapons program.

In October last year, a report revealed over a dozen crypto companies had unintentionally employed undercover North Korean IT personnel. The discovery introduced considerable cybersecurity and legal challenges.

A 2024 United Nations assessment reveals that these IT workers generate about $600 million annually for Kim Jong Un’s government.

Employing and paying these individuals, knowingly or not, contravenes U.N. sanctions and is illegal in the United States and numerous other countries. It also poses a major security risk, as North Korean hackers use covert employees to infiltrate companies.

In December, the United States and the United Arab Emirates imposed penalties on two people for aiding cryptocurrency laundering operations supporting North Korea. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) identified that Huaying and Jian used Green Alpine Trading LLC to launder cryptocurrency stolen by North Korean cybercrime groups, such as the infamous Lazarus Group.

Their sophisticated operations involved disguising the movement of funds, converting them into fiat currency, and channeling the profits back to North Korea’s regime.