Lazarus Subgroup ‘TraderTraitor’ Targets Cloud Platforms and Contaminates Supply Chains

The North Korean state-sponsored advanced persistent threat (APT) known as TraderTraitor, a subgroup of the notorious Lazarus Group, has emerged as a formidable actor specializing in digital asset heists.

Tracked under aliases such as UNC4899, Jade Sleet, TA444, and Slow Pisces by various cybersecurity firms including Mandiant, Microsoft, Proofpoint, and Unit42, TraderTraitor operates under the auspices of North Korea’s Reconnaissance General Bureau (RGB), particularly its 3rd Bureau of Foreign Intelligence.

Financially Motivated Operations

Since its activities were first publicly detailed in a 2022 joint advisory from the FBI, CISA, and U.S. Treasury, this cluster has been attributed to stealing billions in cryptocurrencies like Bitcoin and Ether through sophisticated blends of social engineering, malware deployment, and supply chain compromises.

The group’s primary objective is financial gain to circumvent international sanctions, funding state programs by targeting blockchain entities, exchanges, DeFi platforms, and high-net-worth individuals.

Beyond theft, TraderTraitor occasionally pursues espionage, seeking sensitive intellectual property in the crypto sector, though operations typically escalate rapidly from initial access to fraudulent transactions, leveraging nation-state tactics for cybercriminal ends.

TraderTraitor’s tradecraft has evolved significantly since 2020, beginning with trojanized cryptocurrency applications built on JavaScript, Node.js, and the Electron framework, often repurposed from open-source projects and distributed via spear-phishing campaigns (MITRE T1566.003).

These malicious apps, such as DAFOM, TokenAIS, and CryptAS, masquerade as legitimate trading or price prediction tools, complete with polished websites and fraudulently obtained code-signing certificates (T1553.002) to evade detection.

Tactical Evolution

Initial intrusions target DevOps engineers and system administrators through fake job lures on platforms like LinkedIn or Telegram, enticing victims to execute payloads (T1204.002) that establish command-and-control (C2) channels (T1105) for delivering secondary malware like MANUSCRYPT, a remote access trojan capable of system reconnaissance (T1082), arbitrary command execution (T1059), and credential harvesting to steal private keys.

By 2023, the group pivoted to open-source supply chain attacks (T1195.001), impersonating developers on GitHub to inject malicious npm or PyPI packages into collaborative projects, aiming to compromise downstream systems in blockchain firms.

This marked a nation-state first in exploiting public repositories for lateral movement and code tampering.

Notable incidents underscore TraderTraitor’s prowess, including the 2023 JumpCloud supply chain compromise (T1195.002), where spear-phishing enabled the push of malicious updates to cryptocurrency customers via the cloud identity provider’s infrastructure, bypassing defenses and affecting a limited number of victims as confirmed by Mandiant.

In 2024, the group orchestrated the $308 million DMM Bitcoin heist by luring a Ginco developer with a bogus coding challenge on GitHub, deploying RN Loader and RN Stealer malware (T1059.006) to harvest SSH keys and session cookies (T1552.004, T1550.004), ultimately diverting 4,502.9 BTC through an exploited communication channel.

The late-2024 ByBit hack, stealing over $1.5 billion in ETH, involved compromising a developer’s macOS workstation via a malicious Python app and Docker image (T1609), stealing AWS session tokens for reconnaissance (T1580), and injecting JavaScript into Safe{Wallet}’s Next.js frontend (T1578.005) to redirect transactions in real-time.

FBI attributions in early 2025 linked these to TraderTraitor, highlighting their cloud focus, including credential exfiltration (T1552.004) and IAM role enumeration (T1087.004) to exploit SaaS integrations.

TraderTraitor’s emphasis on cloud environments evident in attacks on providers like JumpCloud and Safe{Wallet} exploits attack surfaces such as overly permissive identities and exposed secrets, enabling persistence and lateral movement.

Cybersecurity platforms like Wiz recommend controls for segmentation, minimum privilege enforcement, and anomaly detection in configurations, secrets, and dependencies to mitigate risks.

As of July 2025, with ongoing campaigns blending traditional phishing with advanced supply chain tactics, TraderTraitor remains a critical threat to global cloud customers and the cryptocurrency ecosystem, responsible for some of history’s largest digital thefts.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!