In a sophisticated cyber espionage campaign, the North Korean-affiliated hacking group known as Slow Pisces—also referred to as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899—has been targeting cryptocurrency developers through deceptive job recruitment tactics. This operation involves engaging developers on professional networking platforms like LinkedIn, posing as potential employers, and delivering malware disguised as coding assignments.
According to research by Palo Alto Networks’ Unit 42, the attackers initiate contact by presenting a benign PDF document detailing a job opportunity. If the target expresses interest, they are then provided with a coding challenge hosted on GitHub. This challenge requires the developer to download and execute a compromised Python project, which, unbeknownst to them, contains malicious code.
Upon execution, the project deploys a malware loader named RN Loader. This loader collects basic information about the victim’s machine and operating system, transmitting it over HTTPS to a command-and-control (C2) server. If the target meets certain criteria—such as specific IP addresses, geolocation, or system configurations—the C2 server responds by sending a second-stage payload, RN Stealer.
RN Stealer is an information-stealing malware designed to harvest sensitive data from infected systems. On Apple macOS devices, it can extract system metadata, a list of installed applications, directory listings, and the contents of the user’s home directory. More critically, it targets iCloud Keychain data, stored SSH keys, and configuration files for cloud services like AWS, Kubernetes, and Google Cloud.
This campaign is notable for its targeted approach. By focusing on individual developers through personalized interactions on LinkedIn, the attackers can tightly control the distribution of their malware, ensuring that only selected victims receive the malicious payloads. This method enhances the stealth and effectiveness of the operation, reducing the likelihood of detection by broad-spectrum security measures.
The use of professional networking platforms for initial contact is a hallmark of Slow Pisces’ tactics. By masquerading as legitimate employers, they exploit the trust inherent in professional recruitment processes. This social engineering strategy increases the likelihood that targets will engage with the provided materials, including downloading and executing the malicious coding challenges.
The choice of Python projects as the delivery mechanism for the malware is strategic. Python is widely used in the cryptocurrency development community, making it a familiar and trusted environment for developers. By embedding malicious code within Python projects, the attackers increase the chances that their malware will be executed without suspicion.
This campaign is part of a broader pattern of North Korean state-sponsored cyber activities aimed at the cryptocurrency sector. In February 2025, the same group was linked to a significant breach of the Dubai-based cryptocurrency exchange Bybit, resulting in the theft of approximately $1.5 billion worth of Ethereum. The attackers used malware-modified crypto trading applications to facilitate the theft, underscoring their focus on the cryptocurrency industry as a lucrative target.
The implications of such targeted attacks are profound. By compromising individual developers, attackers can potentially insert malicious code into widely used cryptocurrency platforms and applications, affecting a broad user base. This method of infiltration poses a significant risk to the integrity and security of the cryptocurrency ecosystem.
To mitigate the risk of such attacks, developers are advised to exercise caution when engaging with unsolicited job offers, especially those that involve downloading and executing code from external sources. Verifying the legitimacy of potential employers and the authenticity of coding challenges is crucial. Additionally, implementing robust security measures, such as endpoint protection and network monitoring, can help detect and prevent the execution of malicious code.
The cybersecurity community continues to monitor and analyze the tactics employed by groups like Slow Pisces. Understanding their methods is essential for developing effective countermeasures and protecting the cryptocurrency industry from ongoing and future threats.
