Threat Intelligence Tarot
Vol. II · 94
North Korea (RGB - Lazarus sub-unit)
★★★★★
risk 4/5
✦ The Jade Thief ✦
Jade Sleet
UNC4899 · TraderTraitor · Slow Pisces
Cryptocurrency exchangesBlockchain companiesTechnology firmsCrypto developers
Active since ~2022 · Cryptocurrency theft, Revenue generation
The Jade Thief does not rob the vault but recruits the locksmith, offering developers dream jobs that arrive pre-loaded with malware. It trades in the currency of trust and the treasury of blockchain.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.003
Spearphishing via Service
Initial Access
T1204.001
Malicious Link
Execution
T1059.001
PowerShell
Execution
T1105
Ingress Tool Transfer
Command and Control
T1195.001
Compromise Software Dependencies and Development Tools
Initial Access
T1657
Financial Theft
Impact
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
- ◆JumpCloud supply chain breach (2023, 1 million+ businesses exposed)
- ◆Targeting crypto developers via fake job interview exercises
- ◆Malicious npm packages deployed via GitHub (2024)
- ◆GitHub repository poisoning campaigns against blockchain developers
Defenses
- ▸Developer awareness training on fake job offer social engineering tacticsNIST CSF: PR.AT ↗
- ▸npm package integrity verification via lockfiles and provenance attestationCIS Control 2 ↗
- ▸Privileged network segmentation for cryptocurrency wallet signing infrastructureCIS Control 12 ↗
- ▸Multi-party approval requirements for large blockchain transactionsNIST CSF: PR.AC ↗
Reversed: Their Weakness
Developer awareness of unsolicited job offers containing coding challenges is its Achilles heel. Organizations that verify npm packages with lockfiles and audit dependencies block its supply chain vector.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.