Crypto Developer Attacks: Malicious Coding Challenges Uncovered

Palo Alto Networks Unit 42 researchers have reported that threat actors pose as LinkedIn recruiters, sending fraudulent job offers to cryptocurrency developers. This leads to a coding challenge that redirects targets to a malicious GitHub repository. Tools such as RN Loader and RN Stealer are used to exfiltrate sensitive data from macOS systems, highlighting a significant threat following Slow Pisces’s previous heist of $1.5 billion from Bybit Technology.

Recent research by Palo Alto Networks Unit 42 has uncovered a sophisticated scheme where threat actors masquerade as recruiters on LinkedIn. They distribute a PDF detailing a fraudulent job opportunity to entice individuals involved in cryptocurrency projects. Upon acceptance, victims receive a coding challenge that instructs them to access a GitHub repository, paving the way for malicious payloads to be delivered.

The primary tool leveraged in these attacks is a series of malicious Python projects associated with a group identified as Slow Pisces. These attacks rely on the proper validation of the victim’s IP address, geolocation, time, and HTTP headers. Utilising tools such as RN Loader, the attackers can exfiltrate critical machine and operating system information, while RN Stealer targets and steals installed applications, stored SSH keys, and sensitive configuration files related to AWS, Kubernetes, and Google Cloud from compromised macOS systems.

The alarming nature of these attacks is underscored by the fact that Slow Pisces is known to have previously stolen $1.5 billion from Bybit Technology, a cryptocurrency exchange based in Dubai, in February. This ongoing trend signifies a growing threat to individuals working within the cryptocurrency sector, necessitating heightened awareness and security measures.