On April 26, 2025, cybersecurity researchers revealed the full scope of an elaborate social engineering campaign orchestrated by North Korea’s Lazarus Group, which created at least three sophisticated fake cryptocurrency companies to target blockchain developers with malware-laced job interviews. The operation, tracked by security firm Silent Push and confirmed by Reuters, represents a chilling escalation in state-sponsored cyber espionage against the crypto industry.
The Exploit Mechanics
The Lazarus Group, also known as HIDDEN COBRA or Guardians of Peace, constructed an entirely fabricated corporate ecosystem designed to pass even rigorous due diligence checks. The threat actors registered three shell companies in the United States: Blocknovas LLC, Angeloper, and SoftGlide. Each entity maintained a professional website complete with AI-generated employee headshots, fabricated LinkedIn profiles with employment histories, and even simulated product roadmaps.
The technical attack chain began when a developer applied for a position advertised on legitimate job platforms. After passing initial screening rounds conducted by individuals impersonating HR representatives, candidates were invited to a “technical interview” conducted via what appeared to be a standard video conferencing tool. During this call, the attackers instructed the victim to download a “coding exercise” or “technical assessment tool” — which was in fact a custom remote access trojan (RAT) designed to compromise cryptocurrency wallets, exfiltrate private keys, and establish persistent access to the victim’s development environment.
The malware delivered through this vector specifically targeted browser extension wallets such as MetaMask and Phantom, credential stores, and SSH keys used for accessing production infrastructure. In some variants observed by researchers, the trojan also deployed a clipboard hijacker that silently substituted cryptocurrency addresses during transactions.
Affected Systems
The campaign primarily targeted senior blockchain developers, smart contract auditors, and DevOps engineers working across major Layer 1 and Layer 2 ecosystems. According to the FBI, which seized the Blocknovas domain on April 23, 2025, at least dozens of developers across multiple countries were approached through this scheme. The fraudulent companies were particularly active on LinkedIn, where their fabricated profiles accumulated hundreds of connections within the cryptocurrency community.
Researchers from Silent Push identified that the Blocknovas website domain had been registered only weeks before the campaign launched, yet featured a fully built-out corporate site with product pages, team bios, and even a blog section with AI-generated articles about blockchain technology. The sophistication of the ruse set a new benchmark for social engineering attacks in the crypto space.
This campaign is believed to be connected to the broader Lazarus Group operation responsible for the $1.4 billion Bybit exchange hack in February 2025, indicating that North Korean cyber operations are increasingly targeting individual developers as a pathway to organizational compromise.
The Mitigation Strategy
In response to the Blocknovas revelations, the FBI seized the primary domain used by the most active front company and issued a public advisory warning cryptocurrency companies to verify the identity of any firm conducting recruitment outreach. Security researchers recommend several defensive measures: always verify company registration through state Secretary of State databases, cross-reference employee profiles against multiple platforms, never download software from interview-related links, and conduct technical interviews using your own development environment rather than one provided by the prospective employer.
Organizations should implement mandatory security awareness training that covers recruitment-based social engineering, as this vector has become the primary initial access method for advanced persistent threats targeting the blockchain ecosystem in 2025.
Lessons Learned
The Blocknovas operation demonstrates that threat actors now leverage generative AI to create corporate facades that are virtually indistinguishable from legitimate startups. With Bitcoin trading at approximately $94,647 and the total crypto market cap exceeding $3.3 trillion, the financial incentive for sophisticated attacks against developers who control or access significant digital asset infrastructure has never been higher.
The convergence of AI-generated content with traditional social engineering represents a paradigm shift in how the crypto industry must approach security. Verification can no longer rely on surface-level indicators such as website professionalism or LinkedIn presence.
User Action Required
If you have been contacted by Blocknovas, Angeloper, or SoftGlide for employment opportunities, or have downloaded any software during a job interview process in recent months, immediately rotate all cryptocurrency wallet credentials, revoke browser extension permissions, scan your system for malware using tools such as Malwarebytes or Kaspersky, and report the contact to your local FBI field office or equivalent cybercrime authority. The stakes are too high to treat any recruitment outreach as routine.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
The gap between crypto and TradFi is narrowing fast
Mass adoption is happening incrementally — people just don’t notice
The best projects are the ones quietly shipping during bear markets
This is exactly the kind of development the space needs
this is about state-sponsored malware targeting devs through fake companies. not sure how thats positive for anyone
lmao bro read the article. three fake companies with AI headshots targeting developers with malware interviews and you think this is positive. wild
AI generated headshots, fake LinkedIn profiles with employment histories, simulated product roadmaps. the amount of effort Lazarus put into Blocknovas is genuinely terrifying. a developer doing their due diligence would still get fooled
the fake companies passed real due diligence checks. thats what scares me. if someone with 15 years experience gets fooled by AI headshots and fabricated LinkedIn profiles, what chance does a junior dev have
Kwame B. junior devs are the exact target. experienced engineers might notice the video call lag or weird contract clauses. someone hungry for their first web3 job wont question anything
three shell companies with AI headshots and fake LinkedIn profiles that passed due diligence. if Lazarus puts this much effort into a fake job interview imagine what they do for an exchange hack
the malware was delivered during a video call. that is next level social engineering. your AV software cant save you when you voluntarily run the file