The North Korean hacker group, specifically a subgroup of the Lazarus Group tied to the Reconnaissance General Bureau (RGB), has been reported to have established two U.S.-based shell companies, Blocknovas LLC in New Mexico and Softglide LLC in New York, to target cryptocurrency developers with malware. These companies, set up using fake personas and addresses, violated U.S. Treasury and United Nations sanctions.
The hackers posed as recruiters, offering fake job interviews to lure developers into downloading malicious software, aiming to steal cryptocurrency wallets and credentials. The FBI seized the Blocknovas domain, and cybersecurity firm Silent Push confirmed multiple victims, noting the campaign’s sophistication. A third entity, Angeloper Agency, is also linked but not registered in the U.S. This tactic marks a rare instance of North Korean operatives creating legal U.S. entities to facilitate cyberattacks.
Sanctions Evasion refers to actions taken by individuals, entities, or governments to circumvent or bypass economic, financial, or trade restrictions imposed by countries or international bodies, such as the United States, United Nations, or European Union. These sanctions are typically designed to pressure targeted regimes, organizations, or individuals to change behavior, such as halting nuclear proliferation, human rights abuses, or illicit activities, by limiting access to financial systems, trade, or resources.
Register for Tekedia Mini-MBA edition 17 (June 9 – Sept 6, 2025) today for early bird discounts. Do annual for access to Blucera.com.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
North Korean operatives established Blocknovas LLC and Softglide LLC in the U.S. using fake personas and addresses. These shell companies appear legitimate but have no real operations, serving as fronts to obscure the true actors’ identities and evade sanctions scrutiny. U.S. state-level business registration processes often require minimal identity verification, allowing bad actors to set up companies without disclosing their true affiliations. This enables sanctioned entities to operate under the radar.
By registering LLCs, the hackers could potentially open U.S. bank accounts, process transactions, or engage in activities that would otherwise be blocked due to sanctions on North Korean entities. The LLCs were used to pose as legitimate businesses (e.g., recruitment agencies) to target developers with malware, masking their true purpose of stealing cryptocurrency to fund North Korea’s regime, which is restricted under sanctions.
The hackers employed fake personas, such as “Robert Davis” or “Henry Wilson,” and used virtual or rented addresses to register the companies, further distancing their activities from North Korea’s Reconnaissance General Bureau (RGB). Sanctions evasion in this case violates U.S. Treasury Department and UN Security Council restrictions, which prohibit North Korean entities from engaging in financial or commercial activities due to the country’s nuclear ambitions and cybercrime activities. By setting up U.S.-based LLCs, the Lazarus Group, coul launder stolen cryptocurrency and can finance North Korea’s weapons development or other sanctioned activities. Evading sanctions weakens international efforts to curb North Korea’s destabilizing actions. It highlights gaps in corporate registration and anti-money laundering frameworks, prompting calls for stricter oversight.
The use of legitimate U.S. entities demonstrates a high level of operational sophistication, allowing hackers to blend into legitimate business ecosystems, evade detection, and exploit trust in U.S.-based companies. Targeting developers with malware to steal cryptocurrency wallets and credentials poses a direct threat to the security of blockchain networks, decentralized finance platforms, and individual investors, potentially leading to significant financial losses.
By posing as recruiters, the hackers undermine confidence in remote job opportunities, particularly in the tech sector, making developers wary of legitimate offers and complicating hiring processes. The ability to establish shell companies highlights weaknesses in U.S. corporate registration processes, which lack stringent identity verification. This enables sanctioned entities to exploit legal loopholes, potentially prompting calls for tighter regulations.
North Korea’s use of cyberattacks to fund state activities, including its nuclear program, through stolen cryptocurrency underscores the intersection of cybercrime and geopolitical threats, necessitating stronger international countermeasures. The FBI’s domain seizure shows proactive response, but the global nature of these operations, combined with North Korea’s state-backed hacking, complicates attribution, prosecution, and prevention efforts.
This tactic may inspire other threat actors to adopt similar strategies, increasing the need for enhanced cybersecurity awareness, developer training, and robust vetting of business entities to prevent malware dissemination.