• North Korean hackers target crypto devs with malicious job offers

• Slow Pisces group uses LinkedIn to deliver malware to crypto developers

A North Korean hacking group, believed to be responsible for the $1.4 billion Bybit hack in February 2025, has been linked to a new malicious campaign that targets crypto developers. The advanced hacking organization uses counterfeit programming tasks to send malicious code to developers through sophisticated digital tactics.

North Korean Hackers Exploit Crypto Developers via LinkedIn

Slow Pisces is a cybercriminal group that utilizes LinkedIn to target cryptocurrency developers, according to Palo Alto Networks’ Unit 42 division. The malicious actors pretend to be job recruiters while sending code assignments that hide malware inside them. The harmful software program RN Loader and RN Stealer distribute their attacks through projects that developers must run to become contaminated.

Cryptocurrency remains an ongoing North Korean cyber actor attack target because they continue efforts to exploit this sector. The group employs this tactical approach for a second time after deploying it back in July 2023. GitHub confirmed that bitcoin-related businesses as well as cybersecurity companies and their staff, fell victim to npm package attacks in that same cycle.

Palo Alto Networks security researcher Prashil Pattni described the operation of the hacker group. They first approach developers on LinkedIn with an attractive job offer. When a developer engages with them, the attackers distribute a PDF file that provides the coding assignment information. The task is located on GitHub where developers can follow the instructions for acquiring and executing the Python program.

The initial appearance of the project presents no concern because it shows cryptocurrency exchange rates to users. Throughout its process the project uses a secret connection to fetch additional payload from a distant server, thereby enabling attackers to gain deeper access to the system.

Slow Pisces Group Targets Developers with Fake Job Offers

This type of attack is highly targeted. The cyber attackers method consists of multiple stages, according to data collected by Mandiant, which Google acquired through its purchase of the cybersecurity firm. The attackers begin with a safe PDF that contains the specified job description. The developer receives the questionnaire after positive response which guides them towards the download of the compromised GitHub project.

The attackers, known for their patience, have maintained this technique, which seems to generate results. The malware developers use precise targeting measures to deliver their attacks since they only transmit malware to test-validated recipients using IP address and geolocation and time-related factors. The precise targeting of this group indicates organization within their operations, and attacks keep distinct aims instead of attacking across various targets.

Previous media coverage of the group’s operations has not stopped them from continuing their established approach, which showcases their persistent success. The North Korean hackers persistently employ the same methods because they effectively take advantage of weaknesses among cryptocurrency developers.

Lastly, crypto developers should exercise caution regarding unknown career proposals and programming tasks because this emerging threat highlights such risks. All employment opportunities should be verified by experts before accepting any such offers, and all shared links and documents need to originate from established, trustworthy sources. The cyber threat against cryptocurrency systems persists due to groups such as Slow Pisces, which requires greater industry awareness and defensive measures for security purposes.