Let’s say you’re a crypto developer, minding your own business, looking for your next gig. You see a job post from a legit-sounding company, like BlockNovas, SoftGlide, maybe Angeloper Agency.
They’ve got websites, employee profiles, the whole nine yards. Looks safe, right?
Well, turns out, you just walked into a North Korean cyber sting, and the FBI’s already hot on the trail.
Three fronts, one big scam
A North Korean hacker crew, the infamous Lazarus Group’s own “Contagious Interview” squad, sets up not one, not two, but three fake crypto consulting firms.
BlockNovas and SoftGlide even got themselves registered in the good ol’ US of A, using fake names and addresses in New Mexico and New York. Angeloper Agency?
Not even bothering with the paperwork. These outfits are nothing but shells, fronts for a digital stickup. Quite creative, I have to admit.
These wise guys aren’t just phishing for fun. They’re running a full-blown operation, posting jobs on sites like LinkedIn, Upwork, and GitHub.
They lure in unsuspecting developers with promises of work, then bam, hit them with malware disguised as innocent test assignments or interview files.
Malware
Once you’re in, you’re in deep. Three strains of malware, BeaverTail, InvisibleFerret, and OtterCookie get to work. BeaverTail?
That one’s a master thief, targeting your browser extensions, crypto wallets like MetaMask, and whatever credentials it can get its hands on.
It’s clever, persistent, and cross-platform, Windows, Mac, Linux, nobody’s safe. OtterCookie and InvisibleFerret?
They’re after your wallet keys, clipboard data, private messages, anything that’ll help them clean you out.
To make it all look legit, these hackers whip up fake employee profiles using AI-generated faces, sometimes they even remix real people’s photos just enough to fool you.
They’re everywhere, job sites, freelancer platforms, you name it. It’s like a casting call for a cybercrime caper, only the victims don’t get a script, they get robbed.
…and the “solution” is an easy “click fix” copy and paste trick, which leads to malware if the unsuspecting developer completes the process. pic.twitter.com/7USZJ0S6ep
— Zach Edwards (@thezedwards) April 24, 2025
Fallout
The Feds finally got wise and seized BlockNovas’ domain, but SoftGlide and the rest of their digital hideouts are still out there, lurking.
Real developers have already been hit, one even had their MetaMask wallet drained.
And let’s not forget, these scams aren’t just about making a quick buck. North Korea’s using this loot to fund its weapons programs.
If you’re in crypto, trust no one. That dream job could be a nightmare in disguise.
The Lazarus Group doesn’t care about your resume, they want your keys, your passwords, your money.
Disclosure:This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
Kriptoworld.com accepts no liability for any errors in the articles or for any financial loss resulting from incorrect information.
