North Korean cyber spies created two businesses in the US, in violation of Treasury sanctions, to infect developers working in the cryptocurrency industry with malicious software, according to cybersecurity researchers.
The companies, Blocknovas and Softglide were set up in the states of New Mexico and New York using fake personas and addresses, said researchers at Silent Push, a US cybersecurity firm. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the United States.

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants,” said Kasey Best, director of threat intelligence at Silent Push.

The hackers are part of a subgroup within the Lazarus Group, an elite team of North Korean hackers which is part of the Reconnaissance General Bureau (RGB), Pyongyang’s main foreign intelligence agency, according to Silent Push.

North Korean leader Kim Jong-un (right) visits the Kim Il-sung University of Politics in Pyongyang, North Korea, on February 24. Photo: North Korean Central News Agency/EPA-EFE

North Korean leader Kim Jong-un (right) visits the Kim Il-sung University of Politics in Pyongyang, North Korea, on February 24. Photo: North Korean Central News Agency/EPA-EFE

The FBI declined to comment specifically on Blocknovas or Softglide. But on Thursday an FBI seizure notice posted to the website for Blocknovas said the domain was seized “as part of a law enforcement action against North Korean cyber actors who utilised this domain to deceive individuals with fake job postings and distribute malware”.