{ "id": "77612c1a-4830-4718-8502-38daf6b28a59", "created_at": "2026-04-06T00:18:30.351321Z", "updated_at": "2026-04-10T13:11:46.991768Z", "deleted_at": null, "sha1_hash": "5dd93c9f77a37e72459e7bf5fb94f9849e677a21", "title": "TraderTraitor: Deep Dive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 108430, "plain_text": "TraderTraitor: Deep Dive\r\nBy Merav Bar\r\nPublished: 2025-07-28 · Archived: 2026-04-05 19:50:16 UTC\r\nTraderTraitor is a cluster of North Korean activity aimed at stealing digital assets (cryptocurrencies such as\r\nBitcoin and Ether). In addition to leveraging traditional techniques such as sending phishing emails and infecting\r\nvictims with trojanized software, TraderTraitor has conducted more complex operations including supply chain\r\ncompromises and diverting legitimate transactions. Since its first public mention in 2022, TraderTraitor has been\r\nlinked to major cryptocurrency thefts and has targeted cloud services and software development platforms in\r\noperations like the JumpCloud supply chain attack and the ByBit hack. Given the nature of this actor’s current\r\nactivities and the threat they pose to cloud customers globally, Wiz Threat Research has decided to publish this\r\ndeep-dive into their history and tradecraft.\r\nWho is TraderTraitor?\r\n\"TraderTraitor\" was originally a codename used by the U.S. government to describe a cluster of North Korean\r\nstate-sponsored cyber activity. In an April 2022 joint advisory, the FBI, CISA, and U.S. Treasury confirmed that\r\nthe DPRK-backed entities behind TraderTraitor are tracked as Lazarus Group, APT38, BlueNoroff, and Stardust\r\nChollima. These names refer to North Korea’s elite hacking units, and the TraderTraitor activity appears to be part\r\nof their financially-motivated operations. TraderTraitor has also been assigned UNC4899 [GTIG], Jade Sleet\r\n[MSTIC] and Slow Pisces [Unit42].\r\nMultiple government and industry reports since 2022 have attributed major cryptocurrency thefts to TraderTraitor,\r\nwhile underscoring its Lazarus lineage. For example, the FBI and Japan’s NPA attributed a $308 million Bitcoin\r\nDMM exchange heist (May 2024) to TraderTraitor, calling it a Lazarus subgroup characterized by using\r\nsimultaneous social engineering of multiple employees to gain initial access to their target. Similarly, a\r\n$1.5 billion hack of the Bybit crypto exchange in late 2024 was attributed by the FBI to \"North Korean\r\nTraderTraitor actors\". These attributions cement TraderTraitor as an operation under the Lazarus umbrella. North\r\nKorea’s Reconnaissance General Bureau (RGB) is believed to be the sponsoring agency behind Lazarus and its\r\nsubgroups like TraderTraitor, with some analysis pointing specifically to the 3rd bureau (Bureau of Foreign\r\nIntelligence).\r\nFinancial gain is the primary strategic objective of TraderTraitor. North Korea’s regime, under heavy sanctions,\r\nleverages these cyber operations to steal cryptocurrency and generate revenue to fund state programs. The\r\nTraderTraitor campaigns specifically target blockchain and cryptocurrency organizations – such as exchanges,\r\nDeFi platforms, crypto startups, venture funds, and even wealthy individual crypto holders – with the goal of\r\nstealing digital assets. Stolen funds (often in the form of Bitcoin, Ether, or other crypto) are laundered and\r\nconverted to support North Korea’s priorities. This exclusive focus on blockchain targets and its use of supply\r\nchain attacks using trojanized open-source packages (npm, PyPI) differentiates them from other Lazarus sub-groups. \r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 1 of 10\n\nBeyond direct theft, TraderTraitor may also pursue strategic espionage objectives in the crypto/blockchain sector.\r\nReports indicate the attackers seem to seek to acquire sensitive cryptocurrency intellectual property and\r\ntechnology. However, the immediate operational goal is typically theft rather than long-term espionage:\r\nTraderTraitor intrusions often move quickly from initial access to illicit blockchain transactions within days. This\r\naligns with Lazarus’s dual goals for espionage and profit: TraderTraitor campaigns join nation-state tactics with\r\nfinancially driven outcomes, effectively turning cybercrime into a revenue stream for the North Korean state.\r\nEvolution of TraderTraitor\r\nTraderTraitor has conducted several major campaigns since 2020, all sharing common tactics (social engineering,\r\ntrojanized malware or code) but targeting different parts of the cryptocurrency ecosystem.\r\nTrojanized Cryptocurrency Applications (2020–2022)\r\nThe earliest campaign attributed later to TraderTraitor involved trojanized cryptocurrency trading applications\r\ndelivered to victims under the pretense of job recruitment. According to a U.S. government advisory, the attackers\r\nsend phishing messages [T1566.003] on platforms like LinkedIn, Slack, or Telegram to employees of crypto\r\ncompanies (especially those in DevOps, IT, or system admin roles). These messages posed as recruiters offering\r\nlucrative jobs and enticed targets to download fake crypto applications [T1204.002] that contain malicious\r\npayloads. These malicious apps – built on JavaScript [T1059.007] and Node.js using the Electron framework – are\r\nreferred to collectively as \"TraderTraitor\" apps by U.S. authorities.\r\nThe initial apps themselves appeared to be functional (e.g. crypto price trackers or trading tools) and even feature\r\npolished websites and valid code signatures to appear legitimate, but in reality, they are repurposed open-source\r\ncrypto tools implanted with malicious update routines. These apps were often digitally signed with compromised\r\nor fraudulent Apple code-signing certificates (later revoked) to bypass security warnings [T1553.002]. \r\nEach malicious application had an \"update\" mechanism that would contact a hardcoded C2 URL [T1105]. The C2\r\nserver could respond with an encrypted second stage payload (using AES-256 [T1027]) that the app would\r\ndecrypt and execute on the victim’s machine. In this way, TraderTraitor apps delivered malware such as\r\nMANUSCRYPT (a remote access trojan) onto victims’ systems. MANUSCRYPT would then harvest system info\r\n[T1082], execute arbitrary commands [T1059], and ultimately seek out cryptocurrency wallet keys or credentials\r\nto enable theft of funds.\r\nThis campaign, active through 2020–2022, successfully breached multiple organizations. For instance, Lazarus\r\nused similar AppleJeus malware-laced apps in earlier operations to infiltrate crypto exchanges. By mid-2022,\r\nTraderTraitor’s trojan apps were implicated in major thefts, such as the Ronin Network (Axie Infinity) breach\r\nwhere Lazarus stole $620 million after compromising a blockchain game company employee via a fake job offer\r\nPDF [T1566.001] and application (this incident pre-dated the TraderTraitor codename but demonstrates the same\r\ntactics). The confirmed impact of these campaigns includes numerous corporate network intrusions and\r\ncryptocurrency thefts, though specific victim names are often undisclosed.\r\nSupply Chain Compromises (2023)\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 2 of 10\n\nIn 2023, TraderTraitor expanded into open-source software supply chain attacks, marking one of the first known\r\ncases of a nation-state APT leveraging public package repositories for attacks. In a campaign uncovered in early\r\n2023, the threat actors impersonated software developers and engaged targeted engineers in collaborative projects\r\non GitHub. After establishing trust (often via LinkedIn or other social contact), the TraderTraitor operators invited\r\nthe victims to collaborate on a GitHub repository that contained malicious JavaScript packages sourced from npm\r\nas dependencies [T1195.001].\r\nThis operation primarily targeted developers working at blockchain and fintech firms. By compromising a\r\ndeveloper’s machine or injecting code into a project, the attackers aimed to infiltrate the victim company’s\r\nsoftware supply chain. The end goal would be either to directly steal crypto (if the developer had wallet access) or\r\nto trojanize the company’s software updates in order to infect many downstream systems.\r\nGitHub and security researchers (e.g. Phylum, Checkmarx) identified this campaign in 2023. GitHub confirmed\r\nthe threat actor’s identity as North Korea’s Jade Sleet/TraderTraitor and took action by suspending the malicious\r\nnpm accounts and repositories. Several malicious domains tied to this NPM campaign were identified,\r\nmasquerading as legit package or crypto services.\r\nJumpCloud compromise\r\nAnother significant supply chain-related attack occurred in July 2023 and targeted a cloud service provider,\r\nJumpCloud. In that case, TraderTraitor (UNC4899) compromised JumpCloud’s platform via spear-phishing, then\r\nabused JumpCloud’s privileged access to push a malicious update [T1195.002] to a handful of cryptocurrency\r\nindustry customers [T1199]. JumpCloud, a cloud identity management (SaaS) provider, revealed that fewer than\r\nfive customers were impacted by this breach. Mandiant’s investigation of one victim confirmed the intrusion\r\nstemmed from the JumpCloud compromise and attributed it to TraderTraitor. The JumpCloud incident is a rare\r\nexample of cloud supply-chain compromise in which the attackers leverage a vendor’s infrastructure (in this case,\r\nidentity management) to bypass traditional defenses.\r\nAnalysis of the JumpCloud compromise\r\nFake Job Lures and Crypto Exchange Heists (2024–2025)\r\nOne of the staples of North Korean social engineering has been \"Operation Dream Job\"-style attacks, so named\r\nfor their use of a fake job offer as a lure. TraderTraitor’s particular take on this technique has been the use of\r\nbogus coding challenges for developers working at crypto exchanges, often delivered as PDF attachments and\r\nlinks to GitHub repositories. They then leverage this foothold in the victim organization in order to pivot to crypto\r\ntransaction systems, ultimately stealing huge sums of digital currency.\r\nWhile TraderTratior isn’t the only North Korean actor to target this sector (WazirX, an Indian crypto exchange,\r\nwas compromised in July 2024 by a North Korean actor using similar techniques to those of TraderTraitor), they\r\nhave certainly had the most public success in terms of raw numbers.\r\nThe attack on Ginco and DMM bitcoin (4502.9 BTC or 308 million USD)\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 3 of 10\n\nIn March 2024, a TraderTraitor operative posed as a recruiter and lured a developer at Ginco into running a\r\nmalicious Python script from a fake coding challenge hosted on GitHub [T1059.006,T1204.002]. The malware,\r\nidentified as RN Loader and RN Stealer, harvested sensitive data including SSH keys, saved credentials, and cloud\r\nconfigurations [T1552.004]. Using the stolen session cookies [T1550.004], the attackers accessed Ginco’s internal\r\nsystems and breached an unencrypted communication channel linked to DMM Bitcoin. By late May, they\r\nexploited this access to divert 4,502.9 BTC (approximately $308 million) in a fraudulent transaction. The FBI and\r\nJapanese authorities formally attributed the attack to TraderTraitor.\r\nThe Bybit hack\r\nAnother massive heist followed in late 2024: the Bybit exchange hack, in which TraderTraitor successfully stole\r\nover 400,000 ETH and staked ETH—amounting to approximately $1.5 billion USD. While details of the initial\r\nintrusion were not fully public at the time, subsequent investigation revealed that the operation was both\r\nsophisticated and emblematic of TraderTraitor’s evolving tradecraft. In early February 2025, the attacker set up\r\ninfrastructure by registering the domain getstockprice[.]com, which was later used as a command-and-control\r\n(C2) endpoint. Shortly after, a developer's macOS workstation—Developer1—was compromised via a malicious\r\nPython application likely delivered through social engineering on Telegram or Discord.\r\nThis application included a malicious docker image [T1609] and contacted the attacker’s domain. The attacker\r\nthen used stolen AWS session tokens to access Safe{Wallet}’s cloud environment and attempted to register a\r\nvirtual MFA device to maintain persistence. Throughout mid-February, the attacker conducted reconnaissance,\r\nenumerating IAM roles, S3 buckets, and other cloud assets [T1580]. By late February, they had moved to active\r\nC2 communication and tampered with Safe{Wallet}’s statically hosted frontend (built with Next.js) by injecting\r\nmalicious JavaScript [T1578.005]. This payload was designed to detect Bybit transactions and modify them in real\r\ntime, redirecting funds to the attacker’s wallet. The exploit was executed later that month, and the script was\r\nscrubbed from the site shortly after - finalizing the theft.\r\nThe FBI publicly attributed the incident to TraderTraitor in January 2025, confirming the operation leveraged\r\nSafe{Wallet} as a supply chain weak point rather than compromising Bybit infrastructure directly. This marked\r\none of the largest cryptocurrency thefts ever, and further underscored TraderTraitor’s ability to combine cloud\r\naccess, social engineering, and web app tampering to devastating effect.\r\nAnalysis of the Bybit compromise\r\nA Focus on Cloud\r\nTraderTraitor has demonstrated a sustained interest in cloud-centric and cloud-adjacent attack surfaces, often with\r\na final goal of compromising companies that are customers of cloud platforms rather than the platforms\r\nthemselves. This was evident in the JumpCloud breach, where the group infiltrated a cloud-based identity and\r\ndevice management provider to compromise downstream organizations. A similar pattern emerged in the Bybit\r\nheist, where TraderTraitor gained access to Safe{Wallet}’s AWS environment by stealing active session tokens\r\nfrom a compromised developer machine—effectively bypassing multi-factor authentication. The attackers\r\nleveraged these credentials to conduct reconnaissance, plant malware in S3 buckets, and explore IAM roles and\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 4 of 10\n\ncloud asset configurations before injecting malicious JavaScript into a web application frontend to redirect crypto\r\ntransactions.\r\nTheir ability to abuse trusted cloud service providers as supply chain pivots—for example, by injecting malicious\r\ncode into an orchestration framework—highlights their capabilities in cloud-native compromise paths, even if\r\nthese are not their main focus. Moreover, their malware has evolved to exfiltrate cloud service credentials and\r\nconfiguration files [T1552.004] from infected developer machines, as seen with RN Stealer. These tactics suggest\r\nthat TraderTraitor understands the value of cloud credentials, APIs, and SaaS integrations as a route to privileged\r\naccess and broader lateral movement [T1087.004]. Their adoption of open-source package poisoning and GitHub-based lures further supports their intent to penetrate cloud-connected development pipelines, making cloud\r\nenvironments a high-value vector in their ongoing operations.\r\nHow can Wiz help?\r\nPrevention\r\n1. Wiz customers can implement Controls for network and identity segmentation to obstruct potential lateral\r\nmovement to highly privileged principals or sensitive resources, limiting the blast radius of potential\r\nemployee workstation compromise.\r\n2. Wiz customers can identify overly permissive users in order to limit developer permissions to the minimum\r\nrequired set, which is especially important in production and CI/CD environments.\r\n3. Wiz customers can rely on Wiz CSPM, Secrets Scanner, and Dynamic Scanner to monitor cloud\r\nconfiguration and secrets (e.g., AWS credentials, SSH keys) for anomalies or inadvertent exposure.\r\n4. Wiz Code customers can track code dependencies to detect suspicious packages, and use Cloud-to-Code\r\nmapping to identify what cloud resources these packages may have built.\r\nDetection\r\n1. Wiz Defend customers can monitor for enumeration attempts, cloud key compromise, suspicious MFA\r\ndevice registration, and many other techniques employed by TraderTraitor.\r\n2. Wiz Sensor customers can  investigate any outgoing connections to campaign-associated IP addresses, and\r\nWiz Defend customers can further investigate by querying for events initiated by principals connecting\r\nfrom IP addresses linked to this campaign.\r\n3. Wiz customers can use the Security Graph and Wiz Sensor to detect malware matching related indicators of\r\ncompromise in their environment.\r\nScreenshot from Wiz Threat Actors page for TraderTraitor\r\nSummary\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 5 of 10\n\nTraderTraitor is a financially motivated North Korean threat subgroup of Lazarus, targeting the cryptocurrency\r\nand blockchain ecosystem since at least 2020. Their operations blend nation-state sophistication with\r\ncybercriminal tactics, relying heavily on social engineering, trojanized applications, and supply chain\r\ncompromises to steal digital assets. Publicly attributed by organisations like the FBI and Japan’s NPA, the group\r\nhas been linked to some of the largest crypto heists to date, including attacks on DMM Bitcoin and Bybit.\r\nTraderTraitor has also expanded into cloud-adjacent attacks—compromising vendors like JumpCloud—and\r\nactively targets developers through poisoned open-source packages and GitHub lures. Their evolving methods\r\nunderscore the risk they pose to cloud-connected organizations.\r\nTTPs\r\nAll Mitre ATT\u0026CK techniques are also detailed in this map. \r\nMITRE Tactic Technique \u0026 ID TraderTraitor Example\r\nInitial Access\r\nSpearphishing Link/Attachment\r\n(T1566.002)\r\nLinkedIn recruiter sends target a malicious app or\r\nGitHub link.\r\nInitial Access\r\nSpearphishing via Service\r\n(T1566.003)\r\nMalicious messages delivered through Slack,\r\nLinkedIn, Telegram.\r\nInitial Access\r\nSpearphishing with Attachment\r\n(T1566.001)\r\nFake PDF job offers deliver malware.\r\nExecution User Execution (T1204.002)\r\nVictim runs trojanized crypto app or installs malicious\r\nNPM package, executing malware.\r\nExecution\r\nCommand and Scripting\r\nInterpreter: JavaScript\r\n(T1059.007)\r\nTraderTraitor apps use JavaScript and Node.js.\r\nExecution\r\nCommand and Scripting\r\nInterpreter: Python (T1059.006)\r\nFake coding challenges delivered as Python scripts.\r\nExecution\r\nCommand and Scripting\r\nInterpreter (T1059)\r\nMalware executes arbitrary commands on host.\r\nPersistence Valid Accounts (T1078)\r\nStolen credentials (cookies, keys) used to maintain\r\naccess as a legitimate user.\r\nDefense\r\nEvasion\r\nSubvert Trust Controls: Code\r\nSigning (T1553.002)\r\nMalware apps signed with stolen or fake Apple\r\nDeveloper certs.\r\nDefense\r\nEvasion\r\nAcquire Code Signing\r\nCertificate (T1588.003)\r\nThreat actor obtains or uses compromised certs to\r\nsign apps.\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 6 of 10\n\nMITRE Tactic Technique \u0026 ID TraderTraitor Example\r\nCredential\r\nAccess\r\nUnsecured Credentials:\r\nCredentials In Files\r\n(T1552.004)\r\nRN Stealer extracts credentials and cloud configs\r\nfrom files.\r\nCredential\r\nAccess\r\nCredentials from Password\r\nStores (T1555)\r\nSteals saved passwords, SSH keys, cloud service\r\ncredentials.\r\nLateral\r\nMovement\r\nUse Alternate Authentication\r\nMaterial (T1550.004)\r\nSession cookies used to impersonate users and pivot\r\ninternally.\r\nCollection\r\nSystem Information Discovery\r\n(T1082)\r\nManuscrypt collects host details to support further\r\nexploitation.\r\nCommand \u0026\r\nControl\r\nIngress Tool Transfer (T1105)\r\nMalware retrieves second-stage payloads from\r\nattacker C2.\r\nCommand \u0026\r\nControl\r\nApplication Layer Protocol:\r\nWeb Protocols (T1071.001)\r\nMalware uses HTTPS callbacks to C2 servers.\r\nCommand \u0026\r\nControl\r\nObfuscated Files or Information\r\n(T1027)\r\nAES-256 encryption used to conceal payloads.\r\nExfiltration\r\nExfiltration Over C2 Channel\r\n(T1041)\r\nSensitive data (e.g. keys, credentials) exfiltrated via\r\nHTTPS.\r\nImpact\r\nData Manipulation /\r\nCryptocurrency Theft\r\nInitiates unauthorized blockchain transactions.\r\nResource\r\nDevelopment\r\nCompromise Software\r\nDependencies and Development\r\nTools (T1195.001)\r\nMalicious NPM/PyPI packages used to compromise\r\ndev environments. Split JavaScript malware in npm\r\npackages, first-stage downloader and second-stage\r\nloader.\r\nResource\r\nDevelopment\r\nCompromise Infrastructure:\r\nSoftware Supply Chain\r\n(T1195.002)\r\nJumpCloud supply chain attack to access downstream\r\ncrypto firms.\r\nDiscovery\r\nAccount Discovery: Cloud\r\nAccount (T1087.004)\r\nIdentifies cloud environments and configurations for\r\nlateral movement.\r\nLateral\r\nMovement\r\nTrusted Relationship (T1199)\r\nUses compromised cloud service provider to reach\r\ncustomer networks.\r\nInitial Access Container Images (T1609) Use of a malicious Docker image to initiate execution.\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 7 of 10\n\nMITRE Tactic Technique \u0026 ID TraderTraitor Example\r\nPersistence\r\nCreate or Modify System\r\nProcess: Cloud Service\r\nModification (T1543.003)\r\nAttempt to register a virtual MFA device to persist\r\naccess.\r\nDiscovery\r\nCloud Infrastructure Discovery\r\n(T1580)\r\nEnumeration of IAM roles, S3 buckets, and other\r\ncloud assets.\r\nDefense\r\nEvasion\r\nModify Cloud Compute\r\nInfrastructure (T1578.005)\r\nInjection of malicious JavaScript into statically hosted\r\nfrontend (Next.js app).\r\nTools\r\nType Value/Name Description\r\nMalware RN Loader\r\nFirst-stage loader used to collect basic system info and\r\nconnect to C2.\r\nMalware RN Stealer\r\nPython-based infostealer targeting SSH keys, saved logins,\r\nand cloud service credentials.\r\nMalware GopherGrabber\r\nGo-based stealer/backdoor with credential theft and C2 via\r\nRC4/MD5.\r\nMalware GolangGhost Go-based cross-platform RAT used in ClickFix campaign.\r\nMalware ThreatNeedle\r\nLazarus RAT used in espionage, reused by TraderTraitor\r\nin South Korea.\r\nMalware AGAMEMNON Backdoor used in updated TraderTraitor campaigns.\r\nMalware wAgent Known Lazarus backdoor reused in TraderTraitor activity.\r\nMalware SIGNBT\r\nLazarus malware family reused in updated TraderTraitor\r\noperations.\r\nMalware COPPERHEDGE\r\nRAT associated with Lazarus, observed in TraderTraitor\r\nactivity.\r\nMalware TIEDYE\r\nCustom backdoor targeting macOS, heavily obfuscated to\r\nprevent detection.\r\nPackage pycryptoenv / pycryptoconf\r\nTyposquatted Python packages targeting crypto developers\r\nvia PyPI.\r\nInfrastructure\r\nGitHub repos / fake\r\ninterview pages\r\nUsed to deliver malware like GopherGrabber and\r\nGolangGhost.\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 8 of 10\n\nType Value/Name Description\r\nInfrastructure\r\nFake Willo video interview\r\nplatform\r\nUsed to deliver malware post-interview engagement.\r\nSoftware\r\nExploit\r\nInnorix Agent flaw Used for lateral movement within Korean networks.\r\nIndicators of compromise from the campaigns listed above can be found in the Wiz Threat Research public IOC\r\ndatabase.\r\nReferences\r\nCheckmarx blogpost \r\nJavier Calderon Jr (xthemadgenius) blogpost\r\nS2W report\r\nSekoia blogpost\r\nHivePro advisory\r\nGTI blogpost\r\nJPCert advisory\r\nCISA advisory\r\nBroadcom blogpost\r\nWired article\r\nSentinelOne blogpost\r\nGithub blogpost\r\nUnit42 blogpost\r\nElliptic blogpost\r\nPhylum blogpost 1 \r\nPhylum blogpost 2 \r\nReversingLabs blogpost\r\nKaspersky blogpost\r\nElastic blogpost\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 9 of 10\n\nSource: https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nhttps://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist" ], "report_names": [ "north-korean-tradertraitor-crypto-heist" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434710, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5dd93c9f77a37e72459e7bf5fb94f9849e677a21.pdf", "text": "https://archive.orkl.eu/5dd93c9f77a37e72459e7bf5fb94f9849e677a21.txt", "img": "https://archive.orkl.eu/5dd93c9f77a37e72459e7bf5fb94f9849e677a21.jpg" } }