Key Findings

• North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers

• Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses

• GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts

• Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control

• Campaign has been active since at least June 2025 with improved social engineering tactics

Background

ReversingLabs cybersecurity researchers uncovered a sophisticated scam dubbed the GraphAlgo campaign where the Lazarus Group has gone to extraordinary lengths to appear legitimate. The operation targets blockchain developers with fake job offers, but this iteration represents a significant escalation in both resources and deception tactics compared to earlier versions of the campaign.

The Florida Operation

The hackers registered a company called Blocmerce as a legal LLC in Florida in August, complete with official state paperwork listing a fake CEO named Alexandre Miller. While the addresses used in filings belonged to real locations, ReversingLabs determined they corresponded to innocent residents, indicating the identities were either fabricated or stolen. The group also set up accounts mimicking the legitimate firm SWFT Blockchain and operated under aliases including Blockmerce and Bridgers Finance. This represents a dramatic shift from typical cybercriminal operations, as registering actual legal entities requires significant investment and coordination.

Evolution of Attack Methods

The current campaign shows marked improvement over previous iterations. Earlier efforts relied on distributing malicious packages like bigmathutils through npm, which achieved 10,000 downloads before detection. The new approach hides malware within GitHub release artifacts rather than public package repositories, making detection considerably harder. Attackers rewrote git logs to create false employment histories for fake developers Dmytro Buryma and Karina Lesova, manufacturing the appearance of months-long project involvement to build credibility.

Deception Techniques

Typosquatting played a central role in the social engineering strategy. Hackers created a fake GitHub account impersonating renowned developer Jordan Harband by replacing the lowercase L in his username ljharb with a capital i, resulting in Ijharb. Developers believing they were downloading his legitimate tool side-channel-weakmap instead received malware. This level of attention to detail demonstrates sophisticated understanding of how developers identify trustworthy resources.

Malware Payload and Capabilities

The deployed Remote Access Trojan activates when developers run test tasks, granting attackers complete machine control. The RAT notifies attackers of successful infections via Telegram or Slack and logs attacks to the Sepolia testnet. Researchers noted the code structure closely matches the original GraphAlgo campaign malware, suggesting the group refined rather than completely rebuilt their toolkit. The infection notification system ensures attackers know immediately which developers have been compromised.

Ongoing Threat

The campaign maintained activity throughout late 2025, indicating sustained commitment to the operation. Security researchers recommend running downloaded code in isolated sandbox environments regardless of project popularity or apparent legitimacy, as visual cues and reputation alone provide insufficient protection against these sophisticated social engineering attacks.

Sources

• https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/

• https://x.com/HackRead/status/2042649106464539105

• https://www.linkedin.com/posts/cyber-news-live_graphalgo-scam-lazarus-hackers-register-activity-7448541676614115328-P4Ad

• https://x.com/Dinosn/status/2042792312988667972

• https://www.facebook.com/HackRead/posts/graphalgo-scam-north-korean-lazarus-hackers-are-using-fake-florida-llcs-mimickin/1520501956742043/