North Korean state-sponsored threat actors operating under the TraderTraitor moniker have escalated their cryptocurrency theft operations, successfully stealing over $1.8 billion through sophisticated supply chain compromises and cloud platform infiltrations in 2024-2025.
The group, identified as a subgroup of the notorious Lazarus Group, has evolved from simple trojanized applications to complex multi-stage attacks targeting cloud infrastructure and software development pipelines.
Supply Chain Poisoning Reaches Critical Mass
TraderTraitor has pioneered nation-state attacks against open-source software repositories, marking a dangerous escalation in supply chain warfare.
In 2023, the group began impersonating software developers on GitHub, engaging cryptocurrency and fintech engineers in collaborative projects containing malicious JavaScript packages sourced from npm dependencies.
This campaign, first identified by GitHub and security researchers, demonstrated the group’s ability to weaponize trusted development platforms against blockchain organizations.
The technique proved devastatingly effective in the $1.5 billion Bybit exchange heist, where attackers compromised a developer’s macOS workstation through a malicious Python application distributed via social engineering on Telegram and Discord.
The malware included a weaponized Docker image that contacted command-and-control infrastructure at getstockprice[.]com, eventually allowing attackers to steal AWS session tokens and inject malicious JavaScript into Safe{Wallet}’s Next.js frontend to redirect cryptocurrency transactions in real-time.
Cloud Infrastructure Becomes Primary Attack Vector
The group’s cloud-centric approach reached new sophistication levels with the July 2023 JumpCloud compromise, where TraderTraitor infiltrated the cloud identity management provider through spear-phishing campaigns.
By exploiting JumpCloud’s privileged access, attackers pushed malicious updates to cryptocurrency industry customers, demonstrating their ability to leverage trusted cloud service providers as supply chain pivots.
TraderTraitor’s malware arsenal has evolved to specifically target cloud credentials, with tools like RN Stealer harvesting SSH keys, saved credentials, and cloud configurations from compromised developer machines.
The group’s reconnaissance capabilities include comprehensive enumeration of IAM roles, S3 buckets, and cloud assets, often attempting to register virtual MFA devices to maintain persistent access to compromised cloud environments.
Continuing Threat to Global Infrastructure
The FBI has formally attributed multiple major cryptocurrency thefts to TraderTraitor, including the $308 million DMM Bitcoin heist in May 2024, where attackers used stolen session cookies to access internal systems through an unencrypted communication channel.
The group’s tradecraft combines traditional social engineering with advanced persistent threat techniques, utilizing cross-platform JavaScript applications built on Node.js and Electron frameworks to deliver second-stage payloads encrypted with AES-256.
As TraderTraitor continues targeting cloud-connected development pipelines and software supply chains, organizations must implement comprehensive security measures, including network segmentation, developer permission restrictions, and continuous monitoring of cloud configurations and secrets to defend against this evolving threat landscape.
