Cybersecurity researchers and documents reviewed by Reuters have uncovered a scheme by North Korean cyber spies who established two companies in the United States, flouting Treasury sanctions. These entities, Blocknovas LLC and Softglide LLC, registered in New Mexico and New York using fabricated identities and addresses, were allegedly used to distribute malicious software targeting individuals working within the cryptocurrency industry, according to researchers at the U.S. cybersecurity firm Silent Push. A third entity, Angeloper Agency, is also connected to this operation, though its U.S. registration remains unclear.
Reuters' review of registration documents revealed that Blocknovas was registered in New Mexico and Softglide in New York. The individuals listed in these documents could not be located. Blocknovas' listed physical address in Warrenville, South Carolina, appears to be an empty lot on Google Maps, while Softglide seems to have been registered through a small tax office in Buffalo, New York.
This activity underscores the evolving and extensive efforts by North Korea to target the cryptocurrency sector as a means of generating revenue for the government. Beyond hacking for foreign currency, the United States, South Korea, and the United Nations have reported that North Korea dispatches thousands of IT workers abroad to earn millions that help finance Pyongyang's nuclear missile program.
Tactics used by How North Korean spies
Kasey Best, director of threat intelligence at Silent Push, highlighted the unusual nature of this tactic to Reuters, stating, "This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants."
Silent Push identified the hackers as part of a subgroup within the Lazarus Group, an elite North Korean hacking collective affiliated with Pyongyang's primary foreign intelligence agency, the Reconnaissance General Bureau.
While the FBI declined to comment directly on Blocknovas or Softglide, a seizure notice posted on Blocknovas' website by the bureau indicated that the domain was seized "as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware."
Prior to the seizure, FBI officials informed Reuters of their ongoing commitment to "focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes." One FBI official described North Korean cyber operations as "perhaps one of the most advanced persistent threats" facing the United States. Silent Push confirmed multiple victims of this campaign, noting that "specifically via Blocknovas, which is by far the most active of the three front companies," according to a report.
How Treasury Sanctions were violatedThe establishment of a North Korean-controlled company within the U.S., registered by the RGB, constitutes a violation of sanctions imposed by the Office of Foreign Assets Control (OFAC), a division of the Treasury Department. It also breaches United Nations sanctions that prohibit North Korean commercial activities intended to support the isolated nation's government or military.
Reuters' review of registration documents revealed that Blocknovas was registered in New Mexico and Softglide in New York. The individuals listed in these documents could not be located. Blocknovas' listed physical address in Warrenville, South Carolina, appears to be an empty lot on Google Maps, while Softglide seems to have been registered through a small tax office in Buffalo, New York.
This activity underscores the evolving and extensive efforts by North Korea to target the cryptocurrency sector as a means of generating revenue for the government. Beyond hacking for foreign currency, the United States, South Korea, and the United Nations have reported that North Korea dispatches thousands of IT workers abroad to earn millions that help finance Pyongyang's nuclear missile program.
Tactics used by How North Korean spies
Kasey Best, director of threat intelligence at Silent Push, highlighted the unusual nature of this tactic to Reuters, stating, "This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants."
Silent Push identified the hackers as part of a subgroup within the Lazarus Group, an elite North Korean hacking collective affiliated with Pyongyang's primary foreign intelligence agency, the Reconnaissance General Bureau.
While the FBI declined to comment directly on Blocknovas or Softglide, a seizure notice posted on Blocknovas' website by the bureau indicated that the domain was seized "as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware."
Prior to the seizure, FBI officials informed Reuters of their ongoing commitment to "focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes." One FBI official described North Korean cyber operations as "perhaps one of the most advanced persistent threats" facing the United States. Silent Push confirmed multiple victims of this campaign, noting that "specifically via Blocknovas, which is by far the most active of the three front companies," according to a report.
How Treasury Sanctions were violatedThe establishment of a North Korean-controlled company within the U.S., registered by the RGB, constitutes a violation of sanctions imposed by the Office of Foreign Assets Control (OFAC), a division of the Treasury Department. It also breaches United Nations sanctions that prohibit North Korean commercial activities intended to support the isolated nation's government or military.
You may also like
Security forces conduct search operation in J-K's Bandipora
Not April 24, UP Board result 2025 for classes 10 & 12 to be out today
Senior police officials to oversee Chardham Yatra 2025, security stepped up for Kashmiri students in Uttarakhand
Sinks will be sparkling clean and smells gone if you pair 2 natural ingredients
The underrated African seaside city 'just as good as Marrakech' but way less hectic
