Threat Intelligence Tarot
cups · 10
Private sector (mercenary, suspected European)
G0120★★★★★
risk 3/5
✦ The False KYC ✦
Evilnum
DeathStalker
Fintech companiesCryptocurrency platformsInvestment firmsFinancial regulators
Active since ~2018 · Fintech sector espionage, Know-your-customer document theft, Trading intelligence
It arrives in the compliance department's inbox as a KYC document - the identity verification packets that fintech companies process constantly. Inside is a Python backdoor. The False KYC has spent years inside financial technology firms, reading trading data and customer records for whoever hired it.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Fintech KYC document theft across European trading platforms
- ◆Malicious LNK files disguised as KYC verification documents
- ◆Python-based backdoor EVILNUM deployment
- ◆Cryptocurrency platform customer data and trading intelligence theft
Defenses
- ▸Fintech sector threat intelligence sharing on document-based luresFS-ISAC guidance
- ▸KYC document processing system network isolationCIS Control 12 ↗
- ▸Email security for compliance department staffCIS Control 9 ↗
- ▸Python script execution monitoring and controlsCIS Control 2 ↗
Reversed: Their Weakness
Evilnum's mercenary nature - selling access and intelligence to multiple clients - creates operational security risks inherent to the model: different clients may take different actions with stolen data, creating divergent forensic trails that helped researchers map the group's full scope.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.