Lazarus Subgroup ‘TraderTraitor’ Attacking Cloud Platforms and Poisoning Supply Chains

A sophisticated North Korean cyber espionage operation known as TraderTraitor has emerged as one of the most formidable threats to the global cryptocurrency ecosystem, conducting billion-dollar heists through advanced supply chain compromises and cloud platform infiltrations.

Originally codnamed by the U.S. government in 2022, TraderTraitor represents a specialized subgroup within the notorious Lazarus Group, North Korea’s elite hacking unit operating under the Reconnaissance General Bureau.

The threat actor has demonstrated unprecedented sophistication in targeting blockchain organizations, cryptocurrency exchanges, and cloud service providers through a combination of social engineering, trojanized applications, and supply chain attacks.

Since 2020, TraderTraitor has been linked to some of the largest cryptocurrency thefts in history, including the $1.5 billion Bybit exchange hack and the $308 million DMM Bitcoin heist, showcasing their ability to bypass traditional security measures through innovative attack vectors.

Wiz.io analysts identified TraderTraitor’s evolution from simple trojanized cryptocurrency applications to complex multi-stage supply chain compromises that leverage trusted cloud platforms as attack vectors.

The group’s operations blend nation-state sophistication with cybercriminal tactics, utilizing legitimate development platforms like GitHub and npm repositories to deliver malicious payloads to unsuspecting developers and organizations.

Two landmark cases exemplify TraderTraitor’s advanced capabilities. The JumpCloud compromise in July 2023 demonstrated their ability to infiltrate cloud identity management providers, where attackers used spear-phishing to compromise JumpCloud’s platform and subsequently pushed malicious updates to downstream cryptocurrency customers.

The Bybit attack showcased even greater technical sophistication, where TraderTraitor compromised a developer’s macOS workstation through social engineering on messaging platforms, subsequently stealing AWS session tokens to access Safe{Wallet}’s cloud environment and inject malicious JavaScript into the platform’s Next.js frontend.

Advanced Infection Mechanisms and Cloud-Centric Attack Patterns/

TraderTraitor’s infection methodology represents a significant evolution in nation-state cyber operations, particularly their exploitation of cloud-native development pipelines.

The group’s malware arsenal includes sophisticated tools like RN Loader and RN Stealer, Python-based information stealers specifically designed to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations.

The attack chain typically begins with social engineering campaigns targeting developers through platforms like LinkedIn, Telegram, or Discord, where operatives pose as recruiters offering lucrative job opportunities.

Victims are enticed to download seemingly legitimate cryptocurrency applications or execute malicious Python scripts disguised as coding challenges hosted on GitHub repositories.

These applications, built using JavaScript and Node.js with the Electron framework, contain hardcoded command-and-control URLs that facilitate second-stage payload delivery using AES-256 encryption.

Once established, the malware conducts extensive reconnaissance of cloud environments, enumerating IAM roles, S3 buckets, and other cloud assets before attempting to register virtual MFA devices for persistence.

This cloud-centric approach allows TraderTraitor to bypass traditional network defenses and leverage legitimate cloud credentials to maintain long-term access to target environments.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches