The Lazarus Group has taken a new twist on a well-known scam by preying upon would-be cryptocurrency developers through freelancer platforms, and GitHub jobs listings. Palo Alto Networks Unit 42 (a cybersecurity company) first reported on the scam in November 2023. They called it CL-STA-24 Contagious interview campaign.
Silent Push has the latest information on this issue. The Virginia-based cyber intelligence firm Lazarus claims that it has created three fake consulting firms – BlockNovas Agency, Angeloper Agency and SoftGlide to trick candidates into installing malware.
The attackers pose as cryptoconsultancies and post job advertisements that offer high salaries, remote flexibility and flexible working hours. Candidates are asked to create a brief introduction video. Candidates are asked to record a short introduction video.
Malpedia defines the first strain as a JavaScript-based malware that is primarily distributed via NPM packages (…) and designed to steal information as well as load additional stages of malware.
Fake companies use AI to create “team members” photos, some of which are slightly altered from the originals. These profiles then populate false LinkedIn accounts and freelancers’ accounts. SilentPush claims that two of the fake companies are registered legally in the US and have been running the scams since 2024. BlockNovas has been seized by the FBI, but SoftGlide Agency and Angeloper Agency are still active.
Silent Push identified two developers that fell victim to this scam. In a Dev.to post, the first victim (nicknamed “topninja”) detailed how she was led to compromise her MetaMask Wallet by accepting a project from Freelancer.com. Topninja shared malicious code that contained a request for lianxinxiao[. ].com – a BeaverTail distributing domain.
At least three crypto-founders were foiled by fake Zoom calls in March that tried to steal private keys. Cybersecurity experts advise job-seekers to double-check URLs and verify credentials of companies before copying-pasting.
