North Korea's Lazarus Group registered two legitimate US companies, used fictitious identities, and ran a months-long campaign of fake job interviews to deliver a three-stage malware chain to cryptocurrency developers. Blocknovas LLC, incorporated in New York, and Softglide LLC, incorporated in New Mexico, appear indistinguishable from any other small blockchain development shop. The FBI seized the Blocknovas domain in April 2026. The goal: crypto wallet private keys and access to blockchain infrastructure.
If you interviewed with any company where the technical assessment involved running a provided code repository or demo application, and you cannot independently verify that company's legitimacy, treat your development machine as potentially compromised. Immediately rotate any crypto wallet credentials and check for persistent processes installed around the time of the interview.
How the Shell Companies Were Built
Lazarus Group invested substantial effort in making Blocknovas LLC and Softglide LLC appear legitimate. Both companies had registered business addresses, websites with professional design and plausible team member bios (using AI-generated profile photos), GitHub organization accounts with forks of real blockchain projects, and LinkedIn company pages. The New York and New Mexico addresses were real locations: either mail forwarding services or addresses associated with other businesses in the same building.
The company websites described blockchain development consulting, smart contract auditing, and DeFi infrastructure services. These are all plausible business categories in the current market, and the websites were specific enough about technical capabilities to pass casual due diligence by a developer evaluating a job opportunity. Multiple people appeared to have worked there based on LinkedIn profiles, though SentinelOne researchers confirmed those profiles were synthetic.
The job listings appeared on LinkedIn, GitHub Jobs, and several crypto-specific job boards. They advertised competitive salaries, fully remote roles, and interesting technical problems in smart contract development. Developers who applied received responses and were advanced through a multi-stage interview process that built trust before the malicious technical assessment was introduced.
The Three-Stage Malware Chain
Stage 1: BeaverTail. The interview "technical assessment" instructed candidates to clone a repository and run a local demo application to reproduce a reported bug before the next interview round. The repository contained BeaverTail, a JavaScript-based loader. BeaverTail runs the demo application as expected, showing the candidate nothing unusual, while silently profiling the host system and establishing communication with the command-and-control server.
Stage 2: InvisibleFerret. BeaverTail downloads and executes InvisibleFerret, a Python-based backdoor. InvisibleFerret establishes persistent remote access, collects system information, enumerates installed software, and waits for operator commands. It uses encrypted HTTPS communication to a C2 server to avoid network-layer detection. Persistence is established via macOS LaunchAgents or Windows scheduled tasks depending on the victim's platform.
Stage 3: OtterCookie. Once InvisibleFerret has profiled the victim and determined they are a target of interest, the operator deploys OtterCookie, a credential stealer specifically designed to extract cryptocurrency wallet private keys. OtterCookie searches for wallet seed phrases and private key files across common storage locations, browser extension data directories for MetaMask and similar wallets, and application configuration files for crypto trading and development tools. Exfiltrated keys are sent to the C2 immediately.
Why Crypto Developers Are the Target
North Korea has stolen an estimated $3 billion in cryptocurrency since 2017 according to UN Panel of Experts reports. Crypto theft is a primary revenue source for the regime, funding weapons programs under international sanctions. Lazarus Group and affiliated clusters operate sophisticated, purpose-built tooling specifically for blockchain theft.
Developers who work on blockchain infrastructure represent the highest-value individual targets in the ecosystem. A developer with access to a DeFi protocol's deployment keys or a custodial wallet provider's signing infrastructure can be worth exponentially more than an ordinary retail investor. A single exfiltrated private key for a multi-signature wallet contract can unlock funds in the millions or tens of millions of dollars. The fake interview channel gives Lazarus reliable access to exactly these people: developers skilled enough to be job hunting at the infrastructure layer.
The FBI seized the Blocknovas domain, but domain seizure does not dismantle the operation. Softglide's status at publication time is unclear. Lazarus will recreate the company infrastructure under new names. The operational pattern of fake companies plus fake interviews has been documented across at least a dozen prior Lazarus campaigns. This technique works because it exploits a normal, expected workflow: developers are supposed to run code during interviews.
Protective Measures for Developers and Organizations
- Never run interview code on a machine that has access to production credentials, wallet private keys, or company systems; use a dedicated disposable VM or sandbox environment
- Before running any code from a recruiter, verify the company exists independently: check state business registration databases, look up the registered agent, search for the company on sources outside the provided website
- Verify LinkedIn company profiles were not created within the past 6-12 months with thin history; check employee profile creation dates for signs of synthetic activity
- Store crypto wallet seed phrases and private keys in hardware security devices (Ledger, Trezor) that cannot be read by software on the host, even as root
- Use separate browser profiles or dedicated browsers for crypto wallet operations; do not install wallet extensions in the same browser used for development work
- For blockchain organizations: conduct security awareness training specifically covering the fake interview vector; this is now a documented attack pattern targeting your industry
- If you accepted an interview from an unverified company recently: scan your system with a malware tool, check for new LaunchAgents (macOS:
~/Library/LaunchAgents/) or scheduled tasks (Windows), and rotate any crypto credentials that could have been on the machine
For US companies: check the Secretary of State filing in the incorporation state. For New York LLCs, search apps.dos.ny.gov. For New Mexico, search portal.sos.state.nm.us. A recently filed LLC with a registered agent at a mail forwarding service and no corroborating online presence should be treated with significant skepticism.
Building Crypto Infrastructure? Security Starts at Hiring.
RedEye Security helps blockchain and fintech organizations assess their exposure to supply chain and social engineering attacks targeting developers. We can review your onboarding and contractor engagement processes to identify gaps before Lazarus finds them.
Talk to Us