Cybersecurity researchers at ReversingLabs have found a new scam targeting blockchain developers with fake job offers. Their research, shared with Hackread.com, reveals that hackers are now registering real legal companies in the US to trick their victims.
The Florida Connection
The hackers, part of the North Korea-linked Lazarus Group, are running what researchers have dubbed the graphalgo campaign, where they have gone to great lengths to create legitimacy. To look like a real business, they registered a company called Blocmerce as a legal LLC in Florida last August, set up accounts that mimic the legitimate firm SWFT Blockchain, and even ran fake operations under the names Blockmerce and Bridgers Finance.
That’s not all. They even filed official state papers listing a fake CEO named Alexandre Miller. Although the addresses in the filings were real locations, ReversingLabs’ investigation revealed that they belonged to innocent residents. “It is more likely that these are fake (or stolen) identities,” researchers noted in the blog post, pointing out that it is a tactic frequently used by North Korean state actors.
A Recurring Scam
This isn’t a new scam, though. ReversingLabs first spotted and reported the GraphAlgo campaign in February 2026 after finding that it had been active since at least June 2025. Previously, the attack relied on a fake GitHub-based crypto organisation, veltrix-capital, which installed a malicious package called bigmathutils, downloaded 10,000 times on npm.
But this time, researchers noted that the hackers have improved their methods tremendously. Instead of using public stores like npm or PyPI, they now hide malware as ‘release artifacts’ inside GitHub. They even used a trick called git log rewriting to fake the history of their code so that fake employees, Dmytro Buryma and Karina Lesova, look like they had been working on the projects for months. This is basically done to build a false sense of trust.
The group also used typosquatting to fool developers. In one case, they created a fake GitHub account that looked exactly like a famous developer Jordan Harband’s account. They swapped the lowercase L at the start of his username, ljharb, with a capital i, which looks like Ijharb.
Developers, thinking they were downloading his tool, side-channel-weakmap, were actually installing malware. The malware is a Remote Access Trojan (RAT), installed right after a developer runs the ‘test task.’
“That payload is the same RAT that we observed in the initial graphalgo campaign… The structure of the downloader code is pretty much the same as we observed in the earlier campaign, also,” researchers noted.
This gives the hackers full control over the victim’s machine and even pings the attackers via Telegram or Slack to let them know the infection worked. It also uses the Sepolia testnet to log the successful attacks.
Since this campaign has remained active throughout late 2025, precaution is your only defence against it. If you are downloading code for a job test, run it in a sandbox environment, because no matter how popular a project may be, it doesn’t mean it is safe to trust.
Photo by Rene Böhmer on Unsplash
