- Hackers posing as U.S. crypto firms targeted developers with malware through fake online job interviews.
- Manta Network’s Kenny Li avoided malware during a Zoom call set up by North Korean attackers.
- ZKsync reclaimed $5.7 million after a hacker minted unauthorized tokens using stolen admin credentials.
North Korean cybercriminals are using fake companies registered in the United States to attack cryptocurrency developers. A recent investigation by cybersecurity firm Silent Push uncovered a new campaign tied to the Lazarus Group, a well-known state-sponsored hacking operation.
Attackers set up two companies in the United States: BlockNovas LLC in New Mexico and SoftGlide LLC in New York. A third group, Angeloper Agency, was also linked to the scheme but was not officially registered in the country.
The investigation found that these companies were created as a cover to spread malware to cryptocurrency developers through fake job interviews. To make their operations look convincing, the attackers launched websites like blocknovas[.]com and apply-blocknovas[.]site. Silent Push said the hackers made the companies appear real by using AI-generated employee profiles.
Silent Push added:
“The objective was to compromise crypto wallets and steal credentials from developers working at legitimate businesses.”
A Pattern Linked to Lazarus Group
This strategy follows a pattern seen in previous attacks carried out by the Lazarus Group. Last year, hackers managed to infiltrate Axie Infinity’s Ronin Bridge by posing as a fake job offer and stealing $625 million. In 2022, the same group also looted $100 million from the Horizon Bridge of Harmony’s via another fake job ploy.
The United Nations and blockchain analysis firm Chainalysis estimate that Lazarus has stolen more than $3 billion in cryptocurrency since 2017. The bulk of this figure emanated from the fake job offer attacks.
Silent Push noted that the creation of fake companies “marks a shift toward more sophisticated methods” by Lazarus to target the crypto sector.
Attempted Phishing Attack on Manta Network’s Co-Founder
In a related incident, Kenny Li, co-founder of Manta Network, shared that he avoided falling victim to an advanced phishing attack. On April 17, Li posted on X that a fraudulent Zoom call had been set up to deliver malware to his device.
Li said he became suspicious during the call when the video of a supposed colleague did not seem right. He later confirmed it was a deepfake attempt tied to North Korean actors. The attackers tried to trick him into installing malware by impersonating someone he trusted. Security experts view this attack as part of a broader trend where hackers are moving beyond emails and using live video calls to target individuals inside the cryptocurrency world.
ZKsync Recovers Funds After Breach
ZKsync, a layer 2 blockchain protocol, not only recovered over $5.7 million after the hacking happened on April 15. The attack took place by improper use of an administrative password and that allowed for the illegitimate creation of approximately 111 million ZK tokens.
ZKsync and the attacker reached an agreement where 90% of the stolen funds were returned, while the attacker kept 10% as a reward. The arrangement was made during the project’s 72-hour safe harbor window designed to support the recovery of lost assets. The breach also brought focus on internal security practices and the threats posed to blockchain projects in the process of distribution events for tokens.
