Threat Intelligence Tarot
cups · 10
Private sector (mercenary, suspected European)
G0120★★★★★
risk 3/5
✦ The False KYC ✦
Evilnum
DeathStalker
Fintech companiesCryptocurrency platformsInvestment firmsFinancial regulators
Active since ~2018 · Fintech sector espionage, Know-your-customer document theft, Trading intelligence
It arrives in the compliance department's inbox as a KYC document - the identity verification packets that fintech companies process constantly. Inside is a Python backdoor. The False KYC has spent years inside financial technology firms, reading trading data and customer records for whoever hired it.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Fintech KYC document theft across European trading platforms
- ◆Malicious LNK files disguised as KYC verification documents
- ◆Python-based backdoor EVILNUM deployment
- ◆Cryptocurrency platform customer data and trading intelligence theft
Defenses
- ▸Fintech sector threat intelligence sharing on document-based luresFS-ISAC guidance
- ▸KYC document processing system network isolationCIS Control 12 ↗
- ▸Email security for compliance department staffCIS Control 9 ↗
- ▸Python script execution monitoring and controlsCIS Control 2 ↗
Reversed: Their Weakness
Evilnum's mercenary nature - selling access and intelligence to multiple clients - creates operational security risks inherent to the model: different clients may take different actions with stolen data, creating divergent forensic trails that helped researchers map the group's full scope.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.