There is a new threat in the cryptocurrency world, as North Korean hacker organization Lazarus has created three front companies to scam cryptocurrency developers. Two of them are registered in the US, and one of them was shut down by the FBI.
Scam Methods
The companies use a sneaky method to distribute malware. They conduct fake job interviews that display an error message asking the applicant to copy and paste “fixes”. However, this actually results in the device being infected with malware.
Malware Used
There are three types of malware used in the attacks: BeaverTail, InvisibleFerret, and Otter Cookie. BeaverTail steals information and downloads further stages of malware. InvisibleFerret and Otter Cookie process sensitive information, including crypto wallet keys and clipboard data.
Using Artificial Intelligence
To make it look like real employees, hackers use images generated by artificial intelligence. Fake employees and stolen images of real people appear online.
Duration of the campaign
The campaign has been ongoing since 2024. There are known victims, including two developers, one of whom had his MetaMask wallet compromised.
FBI response
The Federal Bureau of Investigation (FBI) has taken action to combat the scam. The Blocknovas domain was shut down, but Softglide continues to operate. At least three cryptocurrency founders have reported thwarting data theft attempts using fake Zoom calls.
The role of the Lazarus group
The Lazarus group is suspected of major cyberattacks, including the Bybit and Ronin Network hacks. This highlights the seriousness of the threat the organization poses to the crypto community. The cryptocurrency community and law enforcement agencies continue to monitor the situation and take measures to protect against such attacks.
