Security researchers at Silent Push have uncovered a campaign where North Korean hackers, tied to the Lazarus Group, set up three fake companies; two of them based in the United States to deliver malware to cryptocurrency developers.

The firms in question are BlockNovas LLC (registered in New Mexico), SoftGlide LLC (registered in New York), and Angeloper Agency, which does not appear to be U.S.-registered.

Silent Push attributed the campaign to a Lazarus subgroup known as “Contagious Interview,” which used these shell companies as fronts for distributing malware.

Web domains associated with the operation include lianxinxiao.com, blocknovas.com, and apply-blocknovas.site.

Researchers say the goal was to bait cryptocurrency developers with fake job offers that served as a vehicle to install malware. Once compromised, the attackers could access crypto wallets and steal credentials, setting the stage for broader intrusions into legitimate businesses.

To make the fake companies seem legitimate, the hackers used false identities, fake addresses, and AI-generated employee profiles, according to Silent Push.

The Lazarus Group, a North Korean state-sponsored hacking outfit, has a long track record of using bogus job postings to target crypto firms and siphon off digital assets and confidential information.

Previous high-profile attacks linked to Lazarus include the $625 million theft from Axie Infinity’s Ronin Bridge in 2021 after a Sky Mavis employee was tricked by a fake job offer and the $100 million Horizon Bridge breach in 2022 that targeted Harmony’s systems using similar methods.

Since 2017, Lazarus-linked operations have stolen over $3 billion in cryptocurrency, according to estimates from the United Nations and Chainalysis, with job recruitment scams playing a major role in those heists.