GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware
Lazarus Group registers real US LLCs and uses GitHub typosquatting to distribute malware to developers.
Summary
ReversingLabs discovered a new wave of the GraphAlgo campaign where North Korean-linked Lazarus Group hackers registered legitimate Florida LLCs (including Blocmerce) to impersonate legitimate blockchain firms like SWFT Blockchain. The attackers use GitHub typosquatting, fake employee identities, and git history manipulation to distribute a Remote Access Trojan (RAT) disguised as development tools and job test packages, with malware hidden as GitHub release artifacts rather than public package managers.
Full text
Security Cyber Crime Scams and FraudGraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware ReversingLabs has discovered a fresh wave of the graphalgo campaign in which North Korean Lazarus hackers are using fake Florida LLCs, mimicking SWFT Blockchain, and using GitHub typo-squatting to target developers with malware. byDeeba AhmedApril 10, 20262 minute read Cybersecurity researchers at ReversingLabs have found a new scam targeting blockchain developers with fake job offers. Their research, shared with Hackread.com, reveals that hackers are now registering real legal companies in the US to trick their victims. The Florida Connection The hackers, part of the North Korea-linked Lazarus Group, are running what researchers have dubbed the graphalgo campaign, where they have gone to great lengths to create legitimacy. To look like a real business, they registered a company called Blocmerce as a legal LLC in Florida last August, set up accounts that mimic the legitimate firm SWFT Blockchain, and even ran fake operations under the names Blockmerce and Bridgers Finance. (Credit: ReversingLabs) That’s not all. They even filed official state papers listing a fake CEO named Alexandre Miller. Although the addresses in the filings were real locations, ReversingLabs’ investigation revealed that they belonged to innocent residents. “It is more likely that these are fake (or stolen) identities,” researchers noted in the blog post, pointing out that it is a tactic frequently used by North Korean state actors. The fake profile (Credit: ReversingLabs) A Recurring Scam This isn’t a new scam, though. ReversingLabs first spotted and reported the GraphAlgo campaign in February 2026 after finding that it had been active since at least June 2025. Previously, the attack relied on a fake GitHub-based crypto organisation, veltrix-capital, which installed a malicious package called bigmathutils, downloaded 10,000 times on npm. But this time, researchers noted that the hackers have improved their methods tremendously. Instead of using public stores like npm or PyPI, they now hide malware as ‘release artifacts’ inside GitHub. They even used a trick called git log rewriting to fake the history of their code so that fake employees, Dmytro Buryma and Karina Lesova, look like they had been working on the projects for months. This is basically done to build a false sense of trust. The group also used typosquatting to fool developers. In one case, they created a fake GitHub account that looked exactly like a famous developer Jordan Harband’s account. They swapped the lowercase L at the start of his username, ljharb, with a capital i, which looks like Ijharb. Developers, thinking they were downloading his tool, side-channel-weakmap, were actually installing malware. The malware is a Remote Access Trojan (RAT), installed right after a developer runs the ‘test task.’ “That payload is the same RAT that we observed in the initial graphalgo campaign… The structure of the downloader code is pretty much the same as we observed in the earlier campaign, also,” researchers noted. This gives the hackers full control over the victim’s machine and even pings the attackers via Telegram or Slack to let them know the infection worked. It also uses the Sepolia testnet to log the successful attacks. Since this campaign has remained active throughout late 2025, precaution is your only defence against it. If you are downloading code for a job test, run it in a sandbox environment, because no matter how popular a project may be, it doesn’t mean it is safe to trust. Photo by Rene Böhmer on Unsplash Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BlockchainCyber AttackCyber CrimeCybersecurityFloridaGraphAlgoMalwareScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Leaks Privacy Clinical Research Firm Exposes 1.6 Million US Medical Survey Records A Dallas, Texas-based clinical research firm had its database exposed, containing sensitive personal healthcare records of over 1.6… byWaqas Security Malware New Android malware on Play Store disables Play Protect to evade detection This malware disables Google's only security mechanism against malware-infected apps on the Play Store. What could go wrong, isn't? bySudais Asif Security Hackers disrupt Chicago police radios with anti-cop songs Apparently, Anonymous hackers are behind the attack. bySudais Asif Cyber Crime 2-year prison for pervert who hacked webcams to spy on underage girls Robert Davies was also one of the customers of now seized login credentials selling site WeLeakInfo. A Byron… byDeeba Ahmed
Indicators of Compromise
- malware — bigmathutils
- malware — side-channel-weakmap
- malware — Remote Access Trojan (RAT)