Analysis Summary

A North Korean state-sponsored hacking group, known as Slow Pisces (also referred to as TraderTraitor or Jade Sleet), has been targeting cryptocurrency developers through deceptive recruitment tactics. They pose as recruiters on platforms like LinkedIn, offering fake job opportunities to lure developers into downloading malicious code. Once a developer shows interest, they're sent coding challenges hosted on GitHub repositories that appear legitimate but contain hidden malware designed to steal sensitive information.

The malware, identified as "RN Loader" and "RN Stealer," is capable of extracting login credentials, SSH keys, and configuration files for cloud services like AWS and Google Cloud. It can also access directory listings and contents of victims’ home directories. The attackers employ sophisticated methods to conceal their activities, such as YAML deserialization in Python repositories and EJS escape function techniques in JavaScript projects, allowing them to execute arbitrary code while evading detection.

This group has been linked to significant financial thefts, including the $1.5 billion heist from Dubai-based cryptocurrency exchange Bybit in February 2025 and the $308 million theft from Japan's DMM Bitcoin in May 2024. In both cases, the attackers used similar social engineering tactics, compromising employees by posing as recruiters and sending them malicious code under the guise of job-related tasks.

The stolen funds are often laundered through complex methods, including converting them into mainstream cryptocurrencies and distributing them across numerous wallets to obscure the trail. These cybercrimes are believed to support North Korea's economy and nuclear program, circumventing international sanctions.

Impact

• Sensitive Data Theft
• Credential Theft
• Financial Loss
• Code Execution

Indicators of Compromise

IP

• 70.34.245.118
• 5.206.227.51
• 131.226.2.120
• 136.244.93.248
• 54.39.83.151
• 195.133.26.32
• 185.236.231.224
• 194.11.226.16
• 91.103.140.191
• 192.236.199.57

Remediation

• Verify the authenticity of recruiters by cross-referencing their profiles and company affiliations, be cautious of unsolicited job offers, especially those involving coding tasks.
• Avoid downloading or executing code from unfamiliar GitHub repositories; thoroughly inspect the code for anomalies before use.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security against unauthorized access.
• Regularly update and patch systems and software to protect against known vulnerabilities.
• Utilize reputable antivirus and anti-malware solutions to detect and prevent malicious activities.
• Monitor network traffic and system logs for unusual activities that may indicate a security breach.
• Limit the sharing of sensitive information on professional platforms and be wary of requests for personal data.
• Use reverse image search tools to verify the legitimacy of profile pictures on networking sites.
• Report suspicious messages or profiles to platform administrators to help prevent the spread of scams.