Here’s how North Korean hackers behind the $1.4b Bybit heist are hitting crypto devs

A North Korean hacking group has been targeting cryptocurrency developers via a new job recruitment scam that injects info-stealing malware into the victim’s system.

According to a recent report from cybersecurity firm Palo Alto Networks’ Unit 42, the nefarious hacking group, known via aliases such as Slow Pisces, Jade Sleet, PUKCHONG, TraderTraitor, or UNC4899, has been posing as recruiters on LinkedIn.

Once contact is made, developers are lured in with fake job offers, followed by a seemingly routine coding test.

But hidden within these GitHub-hosted projects is a stealer malware toolkit that quietly infects the victim’s machine.

Initially, candidates are asked to run a file that typically looks like a simple programming task, but once executed on the victim’s system, it runs a malware named RN Loader that sends system information back to the attacker.

If the target checks out, a second-stage payload, RN Stealer, is deployed, which can scoop up everything from SSH keys and iCloud data to Kubernetes and AWS config files.

What makes this campaign especially dangerous is its stealthy nature, as the malware only activates under certain conditions, such as IP address or system settings, making it harder for researchers to detect.

It also runs entirely in memory, leaving very little digital footprint.

Slow Pisces has been linked to high-profile thefts, including the $1.4 billion Bybit exploit earlier this year. 

The group’s tactics haven’t changed much over time, which Unit 42 says may be due to how successful and targeted their methods are. 

“Prior to the Bybit hack, there was very little detailed awareness and reporting of the campaign in open source, and so it’s possible the threat actors felt no need to change,” according to Andy Piazza, Senior Director of Threat Intelligence at Unit 42.

Rather, threat actors even improved their operational security according to researchers, and were seen using YAML and JavaScript templating tricks to hide malicious commands.

“Focusing on individuals contacted via LinkedIn, as opposed to broad phishing campaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims,” security researcher Prashil Pattni added.

North Korean hackers target IT professionals

North Korea hacking groups have been responsible for some of the biggest cyber heists across the crypto sector.

Data from Arkham Intelligence shows that a wallet linked to North Korea’s Lazarus Group held over $800 million worth of Bitcoin at the time of reporting.

A report from Google Threat Intelligence Group released earlier this month noted a surge in North Korean IT workers infiltrating tech and crypto firms, especially across Europe. 

Last year, Invezz reported that two hacking groups with aliases Sapphire Sleet and Ruby Sleet were responsible for significant losses in the crypto space.

Bad actors were found to be impersonating recruiters, investors, and even employees of targeted companies to slip past initial security checks and plant malware.

Sapphire Sleet focused heavily on crypto firms and had reportedly managed to funnel at least $10 million back to the North Korean regime within six months.