North Korea’s Lazarus Group poses as Fenbushi executive: SlowMist

The North Korea-backed cyber-hacker entity Lazarus Group is targeting LinkedIn users by impersonating an executive member of Chinese blockchain asset management firm Fenbushi Capital, security firm SlowMist said Monday.

SlowMist’s chief information security officer posted a screenshot on X that shows the scam LinkedIn user under the name “Nevil Bolson” who claimed to be the founding partner at Fenbushi. The impostor’s profile picture was taken from real Fenbushi Capital partner Remington Ong, according to 23pds.

The Block confirmed that Lazarus Group’s fake LinkedIn user page remains live at publication time. “Looking for Software developers. Please reach out to me for more discussion,” the impostor posted on LinkedIn three weeks ago.

“Lazarus would use this impostor to chat privately with their targets on LinkedIn, chatting in the name of investment, and then would say, ‘let’s set up a meeting,’” 23pds told The Block. 

SlowMist said in a blog post that Lazarus targets prominent DeFi projects, which is one of the reasons the hacker group poses as a member of an investment company. After the hackers gain the victim’s trust, Lazarus inserts malicious links that pose as a meeting link or an events page, which will launch a phishing attack when clicked.

The SlowMist CISO told The Block that they identified “Nevil Bolson” as a part of Lazarus by comparing IP addresses on top of using the same attack strategy.

North Korea’s state-backed crypto hacker groups earned the country around 50% of its foreign currency, a large share of which was reportedly used for developing weapons of mass destruction, according to the UN Security Council.

About $1.7 billion worth of funds were stolen from the crypto space across 231 hacks, according to blockchain analytics firm Chainalysis.