Thomas Daniels
In a sophisticated cyber-espionage campaign, North Korea’s Lazarus Group has established three shell companies—BlockNovas LLC, SoftGlide LLC, and Angeloper Agency—to distribute malware targeting cryptocurrency developers. Two of these entities, BlockNovas and SoftGlide, were legally registered in the United States using falsified documentation, in violation of international sanctions.
The campaign, dubbed “Contagious Interview” by cybersecurity analysts at Silent Push, involves the creation of fake crypto consulting firms to lure developers into fraudulent job interviews. During these interviews, applicants are prompted to record introduction videos. Upon encountering a deliberately triggered error message, they are given a copy-paste “solution” which covertly installs malware.
Three distinct strains—BeaverTail, InvisibleFerret, and OtterCookie—are deployed. BeaverTail primarily enables further malware deployment and information theft, while InvisibleFerret and OtterCookie are designed to extract sensitive data, including private keys and clipboard content.
Zach Edwards, a senior threat analyst at Silent Push, emphasized that these operations form part of North Korea’s broader efforts to generate revenue through cyber theft, allegedly to support its nuclear weapons program. The FBI has taken action by seizing the domain associated with BlockNovas, though other infrastructure, including SoftGlide, remains operational.
This ongoing operation, first traced back to 2024, has already claimed several known victims. At least one developer reported that their MetaMask wallet was compromised. Meanwhile, others have thwarted attempts involving counterfeit Zoom calls orchestrated by impostors posing as potential employers.
The Lazarus Group remains a key suspect behind some of the largest cyber heists in the Web3 space, including the $600 million Ronin network breach and the $1.4 billion Bybit attack.
