Cybersecurity researchers at ReversingLabs have identified a new scam targeting blockchain developers through fake job offers, with the operation relying on legally registered companies in the United States to appear credible. Research shared with Hackread.com says the attackers are using this structure to deceive victims while masking a broader malware campaign.
The Florida company front
The operation has been linked to the North Korea connected Lazarus Group and described by researchers as part of a GraphAlgo campaign. To create the appearance of a legitimate business, the attackers registered a company called Blockmerce as a legal LLC in Florida last August, created accounts mimicking the real firm SWFT Blockchain, and conducted fake operations under the names Blockmerce and Bridgers Finance.
Researchers said the group also filed official state papers listing a supposed chief executive named Alexandre Miller. Although the addresses used in those filings were real locations, the investigation found they belonged to unrelated residents. ReversingLabs said it was more likely that the identities used were fake or stolen, adding that this method is frequently used by North Korean state actors.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
A campaign that has evolved
The researchers say this is not a new operation. ReversingLabs first reported the GraphAlgo campaign in February 2026, after finding it had been active since at least June 2025. In its earlier form, the attack relied on a fake GitHub based crypto organisation called veltrix-capital, which distributed a malicious package named bigmathutils that was downloaded 10,000 times on npm.
Researchers now say the attackers have significantly improved their methods. Instead of using public repositories such as npm or PyPI in the same way, they are said to be hiding malware as release artefacts inside GitHub. The campaign also reportedly used git log rewriting to falsify the development history of code so that fake employees, Dmytro Buryma and Karina Lesova, appeared to have worked on projects for months, helping create trust.
The operation also used typosquatting to mislead developers. In one example, the attackers created a fake GitHub account resembling that of developer Jordan Harband by replacing the lowercase L at the beginning of his username, ljharb, with a capital I, making it appear nearly identical.
Malware hidden in job test code
The developers who believed they were downloading Harband’s tool, side-channel-weakmap, were instead installing malware. The malicious software was described as a Remote Access Trojan that was deployed after a developer ran the test task.
Researchers said the payload matched the RAT seen in the earlier GraphAlgo campaign and that the structure of the downloader code was also largely the same. Once installed, the malware was said to give attackers full control over the victim’s machine and send alerts through Telegram or Slack to confirm that the infection had worked. It also used the Sepolia testnet to log successful attacks.
The campaign remained active through late 2025. The report said precaution was the main defence and advised developers running code for job tests to use a sandbox environment, noting that a project’s apparent popularity does not necessarily make it safe to trust.
