Jade Sleet

Jade Sleet, also known as TraderTraitor and UNC4899, is a North Korean state-sponsored threat actor primarily targeting personal GitHub user accounts connected to the blockchain, cryptocurrency, and online gambling sectors. Their activities support Pyongyang's objectives, with GitHub expressing "high confidence" in their involvement. The group has been implicated in various cyber attacks, including the JumpCloud hack, and has been attributed by Microsoft and CISA as the driving force behind these malicious activities. They differentiate themselves from other threat actors such as Lazarus (Moonstone Sleet) through unique structures and styles of their malicious code packages. In July 2023, GitHub disclosed details of an npm campaign where Jade Sleet used fake personas to target the cybersecurity sector among others. This was part of a broader social engineering spear-phishing campaign that targeted employees of cryptocurrency and technology organizations. The attackers utilized GitHub repos and weaponized npm packages, often impersonating developers or recruiters. In some instances, they created false persona accounts on platforms like GitHub, LinkedIn, Slack, and Telegram, while in others, they took control of legitimate accounts. The FBI has attributed the blockchain activity to Jade Sleet, confirming their focus on users and vendors associated with cryptocurrency and other blockchain-related organizations. The threat posed by this group extends beyond direct targets, affecting the broader cybersecurity landscape due to their sophisticated attack methods and state sponsorship. It is critical for organizations, especially those operating within Jade Sleet's primary target sectors, to remain vigilant against such threats and implement robust security measures to safeguard their digital assets.