Executive Summary
Slow
Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean
state-sponsored threat group primarily focused on generating revenue for the
DPRK regime, typically by targeting large organizations in the cryptocurrency
sector. This article analyzes their campaign that we believe is connected to
recent cryptocurrency heists.
In
this campaign, Slow Pisces engaged with
cryptocurrency developers on LinkedIn, posing as potential employers and
sending malware disguised as coding challenges. These challenges require
developers to run a compromised project, infecting their systems using malware
we have named RN Loader and RN Stealer.
The
group reportedly stole over $1 billion
USD from the cryptocurrency sector in 2023. They have achieved this
using various methods, including fake trading
applications, malware distributed via the Node Package Manager (NPM) and supply chain
compromises.
In
December 2024, the FBI
attributed the theft of $308 million from a Japan-based
cryptocurrency company to Slow Pisces. More recently, the group made headlines
for its alleged involvement in the theft of $1.5 billion from a Dubai
cryptocurrency exchange.
We
have shared our threat intelligence with analysts at GitHub and LinkedIn to
take down the relevant accounts and repositories.
They
provided the following statement in response:
GitHub and LinkedIn removed these malicious accounts for violating our
respective terms of service. Across our products we use automated technology,
combined with teams of investigation experts and member reporting, to combat
bad actors and enforce terms of service. We continue to evolve and improve our
processes and encourage our customers and members to report any suspicious
activity.
Additional information
- GitHub users can find
more information in our Acceptable
Use Policies and report
abuse and spam pages.
- LinkedIn users can
learn more about identifying and reporting abuse here: Recognize
and report spam, inappropriate, and abusive content
This
report details how Slow Pisces conceals malware within its coding challenges
and describes the group's subsequent tooling, aiming to provide the wider
industry with a better understanding of this threat.
To
access the full report, please visit here