North Korean state-sponsored threat group Slow Pisces targets developers with coding challenges and introduces new customized Python malware

Slow Pisces (also known as Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored group focused on making money for the DPRK by targeting large cryptocurrency organizations. In its latest campaign, Slow Pisces contacted cryptocurrency developers on LinkedIn, pretending to be potential employers and sending them malware disguised as coding challenges. These challenges ask developers to run a compromised project, which infects their systems with malware named RN Loader and RN Stealer.

The group is believed to have stolen more than $1 billion from the cryptocurrency sector in 2023 using several methods, including fake trading apps, malware shared via the Node Package Manager (NPM), and supply chain attacks.

In December 2024, the FBI connected Slow Pisces to the theft of $308 million from a cryptocurrency company in Japan. The group also made news for allegedly stealing $1.5 billion from a Dubai cryptocurrency exchange.

Threat intelligence has been shared with analysts at GitHub and LinkedIn to remove the harmful accounts and repositories linked to this group. Both platforms have confirmed the removal of these accounts for breaking their terms of service and encourage users to report suspicious activities.

Additional information for users about reporting abuse on both platforms is available through their support pages.