Cybersecurity experts have recently exposed a complex cyberattack campaign linked to North Korean state-sponsored threat actors, targeting cryptocurrency developers with advanced malicious tactics. This campaign, led by the group known as Slow Pisces (also referred to as Jade Sleet, TraderTraitor, and PUKCHONG), employs social engineering techniques to exploit LinkedIn users by masquerading as recruiters, offering lucrative job opportunities that ultimately deliver harmful malware.
Rising Threat in Cryptocurrency Industry
A new report from Palo Alto
These repositories, which appear legitimate at first glance, are often based on actual open-source projects such as cryptocurrency dashboards or stock market analyzers. The majority of the code works as expected, but buried within these repositories are malicious components designed to connect to the attackers’ command-and-control servers. Once the target interacts with the code, the attackers gain access to the victim’s machine, compromising their sensitive data.
A Sophisticated and Highly Secretive Operation
What distinguishes Slow Pisces from other cybercriminal groups is their extraordinary attention to operational security. The attackers carefully conceal their payloads at each stage of the attack, ensuring that the malicious components only exist in memory and are hidden from detection. The group deploys advanced techniques to avoid triggering security measures, including YAML deserialization in Python repositories and EJS escape function manipulation in JavaScript projects. These strategies enable the attackers to execute arbitrary code without raising alarms.
When targeting Python developers, the group deploys a pair of dangerous malware tools named “RN Loader” and “RN Stealer.” The latter is particularly concerning because it is designed to harvest highly sensitive data from the victim’s device, including login credentials from macOS keychain databases, SSH keys, cloud service configurations (such as AWS and Google Cloud), and even file listings from victims’ home directories.
Financial Impact and Attribution
The financial implications of this attack are staggering. Slow Pisces is responsible for stealing over $1 billion from cryptocurrency organizations in 2023 alone. Their most recent heist targeted a cryptocurrency exchange in Dubai, resulting in a loss of $1.5 billion. This group has also been linked to a previous theft of $308 million from a cryptocurrency firm in Japan, as reported by the FBI.
Palo Alto Networks has shared their findings with platforms like GitHub and LinkedIn, both of which have taken swift action to remove the malicious accounts involved in these attacks. Additionally, GitHub and LinkedIn have been provided with indicators of compromise (IoCs), helping other organizations defend against similar assaults.
Key Indicators of Compromise (IoCs)
The following domains and IP addresses are associated with the malicious repositories used by Slow Pisces:
| Domain | IP Address | First Seen | Last Seen | Repository Type |
|-|-|–|–|–|
| getstockprice[.]com | 70.34.245[.]118 | 2025-02-03 | 2025-02-20 | Python |
| cdn[.]clubinfo[.]io | 5.206.227[.]51 | 2025-01-21 | 2025-02-19 | Python |
| update[.]jquerycloud[.]io | 192.236.199[.]57 | 2024-07-03 | 2024-08-22 | JavaScript |
| en[.]stockslab[.]org | 91.103.140[.]191 | 2024-08-19 | 2024-09-12 | Python |
| api[.]coinpricehub[.]io | 45.141.58[.]40 | 2024-05-06 | 2024-08-06 | Java |
Security experts recommend implementing strict segregation between corporate and personal devices as an effective defense against such targeted social engineering campaigns.
What Undercode Says:
The Slow Pisces cyberattacks highlight a growing trend in targeted attacks against the cryptocurrency industry, which continues to be a prime target for state-sponsored groups. The sophisticated techniques used by this group indicate not only a high level of technical skill but also a careful approach to evading detection, which makes it difficult for conventional cybersecurity systems to defend against.
One of the more concerning aspects of these attacks is the use of social engineering through platforms like LinkedIn. By leveraging professional networks to trick developers into trusting them, the attackers gain access to highly sensitive systems that could lead to financial ruin for cryptocurrency exchanges and developers alike. The manipulation of coding repositories to carry hidden malware is a prime example of how threat actors are evolving, adapting to new environments, and using tools that appear legitimate but ultimately serve malicious purposes.
Furthermore, the financial toll of these attacks cannot be overstated. With over $1 billion in stolen funds last year alone, Slow Pisces represents a significant financial threat to the cryptocurrency ecosystem. This underscores the importance of increased vigilance and security awareness among developers and organizations working within the cryptocurrency space. The continued growth of this threat actor’s capabilities calls for an evolving response to safeguard sensitive data and infrastructure.
The proactive stance taken by Palo Alto Networks and the collaboration with GitHub and LinkedIn are steps in the right direction. However, the onus is also on individual developers to be aware of the risks posed by social engineering and to exercise caution when interacting with unsolicited job offers or coding challenges. As cryptocurrency continues to grow in popularity, so too will the efforts of cybercriminals to exploit its vulnerabilities.
Fact Checker Results:
- The Slow Pisces group has been directly linked to multiple high-profile cryptocurrency thefts, including over $1 billion in 2023.
- Security measures taken by GitHub and LinkedIn have been effective in removing compromised accounts.
- Researchers highlight the importance of segregating work and personal devices as a key mitigation strategy for preventing these types of social engineering attacks.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
