From Florida LLCs to Fake Devs: Lazarus Group’s Malware Masquerade Hits Blockchain Industry

North Korea-linked hackers escalate crypto attacks by registering real US companies to deliver sophisticated malware to unsuspecting developers.

It started like any other job opportunity: a developer receives an invitation to collaborate with a promising blockchain startup, complete with a sparkling GitHub repository and a bona fide Florida LLC registration. But beneath this polished façade lurks one of the most elaborate scams yet from the notorious Lazarus Group, North Korea’s cybercrime powerhouse. Their latest campaign, dubbed “graphalgo,” is a masterclass in deception - one that’s ensnaring even the most cautious blockchain professionals.

The Lazarus Group’s new playbook is alarmingly thorough. Investigators at ReversingLabs discovered that the hackers didn’t just set up a fake website or spoof an email - they filed official paperwork, registering Blocmerce LLC in Florida with forged details and fake executive names. Public records show real addresses, but the supposed CEO, Alexandre Miller, is a phantom. Researchers suspect stolen or invented identities, a trademark move for North Korean threat actors seeking to evade detection and build trust.

The group’s efforts to mimic legitimacy go further. By copying branding from real companies like SWFT Blockchain and setting up additional sham entities like Bridgers Finance, they manufacture a convincing corporate ecosystem. For developers, the scam is nearly indistinguishable from a genuine job or partnership offer.

But the real innovation lies in the technical delivery. Whereas past campaigns relied on booby-trapped npm or PyPI packages, this time the malware is smuggled in as a “release artifact” on GitHub. To make matters worse, the attackers rewrite code commit histories to create the illusion of long-term project development, complete with fake contributors. Even seasoned developers might miss the subtlety - especially when the hackers use typosquatting, such as swapping a lowercase “l” for a capital “I” in a well-known developer’s username, to trick victims into installing poisoned packages.

Once the code is run, a Remote Access Trojan silently takes over, alerting the attackers via Telegram or Slack and logging successful infections using blockchain testnets. From that moment, any data or credentials on the compromised machine are fair game for the hackers.

The sophistication of the graphalgo campaign is a stark reminder: in the world of cybersecurity, trust can be weaponized. As attackers blend real-world bureaucracy with digital trickery, developers and companies must raise their guard. Sandboxing code, verifying employers, and scrutinizing even the most “official” paperwork are no longer optional - they’re essential survival skills on the modern threat landscape.

WIKICROOK

LLC: An LLC is a US legal business structure that protects owners' personal assets, commonly used by cybersecurity professionals and firms.
Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
Release Artifact: A release artifact is a packaged output from a software build, containing files needed for deployment, and is critical for secure software distribution.
Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
Sandbox Environment: A sandbox environment is a secure, isolated space where programs or files are tested safely, preventing harm or data leaks to the main system.