North Korean hackers, linked to the Lazarus Group, created three shell companies — two of which were U.S.-based — to target cryptocurrency developers with malware, according to a report by cybersecurity firm Silent Push.

BlockNovas LLC and SoftGlide LLC were registered in the U.S. states of New Mexico and New York, respectively. A third entity, Angeloper Agency, was also linked to the campaign but is not registered in the U.S.

The North Korean APT group Contagious Interview (a subgroup of Lazarus) was behind the campaign, using three fake cryptocurrency companies as fronts for malware distribution.

Domains and subdomains linked to their operations include lianxinxiao[.]com, blocknovas[.]com, and apply-blocknovas[.]site.