North Korean Hackers Target Crypto Developers with LinkedIn Scam, Steal $1.4 Billion
2min read A North Korean hacking group, known by various aliases such as Slow Pisces, jade Sleet, PUKCHONG, TraderTraitor, or UNC4899, has been targeting cryptocurrency developers through a sophisticated job recruitment scam. This scam involves injecting info-stealing malware into the victim’s system, posing a significant threat to the crypto industry.
The hacking group has been using LinkedIn to pose as recruiters, luring developers with fake job offers. Once contact is established, the developers are given a seemingly routine coding test. However, these tests are hosted on GitHub and contain a stealer malware toolkit that infects the victim’s machine. The initial file, which appears to be a simple programming task, actually runs a malware named RN Loader. This malware sends system information back to the attacker. If the target is deemed suitable, a second-stage payload, RN Stealer, is deployed. This more advanced malware can extract a wide range of sensitive information, including SSH keys, iCloud data, Kubernetes, and AWS config files.
The stealthy nature of this campaign makes it particularly dangerous. The malware only activates under specific conditions, such as IP address or system settings, making it difficult for researchers to detect. Additionally, the malware runs entirely in memory, leaving very little digital footprint. This group has been linked to high-profile thefts, including the $1.4 billion Bybit exploit earlier this year. The group’s tactics have remained consistent over time, which may be due to the success and targeted nature of their methods. According to Andy Piazza, Senior Director of Threat Intelligence at Unit 42, the lack of detailed awareness and reporting of the campaign in open source may have contributed to the group’s decision not to change their tactics. Instead, the group has improved their operational security, using YAML and JavaScript templating tricks to hide malicious commands.
The group’s focus on individuals contacted via LinkedIn, rather than broad phishing campaigns, allows them to tightly control the later stages of the campaign and deliver payloads only to expected victims. This targeted approach enhances their operational security and effectiveness. Security researcher Prashil Pattni noted that this method allows the group to maintain a high level of control over their operations.
North Korean hacking groups have been responsible for some of the biggest cyber heists across the crypto sector. A wallet linked to North Korea’s Lazarus Group held over $800 million worth of Bitcoin at the time of reporting. A recent report noted a surge in North Korean IT workers infiltrating tech and crypto firms. Last year, two hacking groups with aliases Sapphire Sleet and Ruby Sleet were responsible for significant losses in the crypto space. These groups impersonated recruiters, investors, and even employees of targeted companies to slip past initial security checks and plant malware. Sapphire Sleet, in particular, focused heavily on crypto firms and had reportedly managed to funnel at least $10 million back to the North Korean regime within six months.
