GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware

The GraphAlgo campaign illustrates a sophisticated evolution in supply‑chain attacks against blockchain developers. By establishing a real‑world LLC in Florida, the Lazarus Group creates a veneer of legitimacy that fools recruiters and job‑seeking engineers. This legal front, coupled with fabricated executive identities, allows the threat actors to distribute malicious code through seemingly authentic GitHub repositories, sidestepping traditional defenses that focus on public package registries like npm or PyPI.

Technical deception goes beyond simple typosquatting. The attackers rewrite git histories to fabricate long‑standing contributors, such as Dmytro Buryma and Karina Lesova, lending false credibility to their projects. They also exploit subtle visual tricks—replacing a lowercase "l" with an uppercase "I"—to impersonate well‑known developers. Once a victim runs the malicious test task, a Remote Access Trojan installs silently, establishing command‑and‑control channels via Telegram and Slack and logging successes on the Sepolia testnet.

For enterprises and individual developers, the takeaway is clear: trust must be verified at multiple levels. Sandboxing any third‑party code, especially when sourced from new or obscure repositories, is essential. Organizations should implement strict provenance checks, monitor for anomalous repository activity, and educate teams about social‑engineering cues like fake job offers. As state‑sponsored actors continue to blend legal structures with cyber‑espionage, a proactive, layered defense remains the most effective safeguard against these covert incursions.