TraderTraitor: The Kings of the Crypto Heist
Apr 14, 2025 6:00 AM Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea's TraderTraitor is one of the most sophisticated cybercrime groups in the world. ANIMATION: JAMES MARSHALL
On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world's second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.
The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea's elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.
Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.
'We were waiting for the next big thing,' says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. 'They didn't go away. They didn't try to stop. They were clearly plotting and planning—and they're doing that now,' he says.
North Korea's hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea's cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom's nuclear programs. Increasingly, that means stealing cryptocurrency.
Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.
TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.
'They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,' says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. 'The Jade Sleet group [TraderTraitor] is one of the most sophisticated groups within that echelon,' she says.
TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. 'They walked off with very little money,' says DTEX Systems's Barnhart. 'In that moment you had a real, significant shift.'
Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. 'TraderTraitor is the most sophisticated of all,' he says. 'And why? Because APT38 was the A team.'
Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.
TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. 'They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They're focused on that entire industry, understanding it backwards and forwards,' says Microsoft's DeGrippo.
GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub's research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks' Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.
The group has been seen using 'custom backdoors,' such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google's Threat Intelligence Group. 'These are typically heavily obfuscated to prevent detection and thwart analysis,' Hernandez says. 'Once UNC4899 [TraderTraitor] has gained access to valid credentials, we've observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.'
Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.
'The second step of the laundering process is to 'layer' the stolen funds in order to attempt to conceal the transaction trail,' Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.
'North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,' Elliptic says in its blog post.
In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. 'That could impact any tech industry, any organization that uses that software,' says Andy Piazza, senior director for threat research at Unit 42.
As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42's recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.
'You can definitely tell that they're stepping up,' Piazza says.
Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. 'It seems more coordinated that they're not bumping into each other out in the battle space,' Piazza says. 'They're really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.'
North Korea's hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some 'overlap,' Piazza says.
'If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you're looking for developers before the day is out, you would have North Koreans in your inbox,' Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country's different groups, and there's the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.
'Whenever we attribute this [hacking] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Insider
31 minutes ago
- Business Insider
World Bank restores funding to Uganda despite controversial anti-gay law
The World Bank has restored funding to Uganda nearly two years after suspending new financing in response to the country's Anti-Homosexuality Act (AHA). The World Bank has resumed funding to Uganda after a two-year suspension instigated by the Anti-Homosexuality Act (AHA). The Bank justified resumption through effective mitigation measures within ongoing Ugandan projects to limit potential adverse impacts. While Uganda's AHA remains unchanged, the decision signals shifting geopolitical dynamics by international financial institutions. The World bank in 2023, suspended funding to Uganda after the country's parliament passed the Anti-Homosexuality Act (AHA), saying the law contradicted its values. The legislation sparked international condemnation for imposing severe penalties on LGBTQ+ individuals, including life imprisonment and, in some cases, the death penalty. According to Reuters, the World Bank said it had developed a working relationship with Ugandan authorities to implement strong measures aimed at mitigating potential harm resulting from the law. " We have now determined the mitigation measures rolled out over the last several months in all ongoing projects in Uganda to be satisfactory," " Consequently, the Bank has prepared three new projects in sectors with significant development needs – social protection, education, and forced displacement/refugees, which have been approved by the Board." said a Bank spokesperson, who requested anonymity. The decision to resume funding signals a shift in the Bank's engagement strategy with Uganda and raises broader questions about how global institutions navigate the tension between promoting human rights and maintaining development partnerships. While there has been no indication of changes to Uganda's legal position on LGBTQ+ rights, the World Bank's renewed support may reflect wider geopolitical and economic considerations in the region. How the world reacted to Uganda's Anti-Gay Law Uganda's Anti-Homosexuality Act (AHA), signed into law in May 2023, imposed sweeping criminal penalties for same-sex relationships, including life imprisonment and, in cases of so-called 'aggravated homosexuality,' the death penalty. The law drew swift and widespread condemnation from Western governments, human rights organizations, and international institutions, and was widely regarded as one of the harshest anti-LGBTQ+ laws in the world. Beyond the World Bank's suspension of funding, several Western governments issued strong rebukes and implemented measures affecting Uganda's international standing. The United States led the diplomatic response, with the Biden administration describing the law as 'a tragic violation of universal human rights.' In turn, Washington imposed travel restrictions on Ugandan officials believed to be involved in the legislation and initiated a review of its financial assistance to the country. The European Union also condemned the law, emphasizing its incompatibility with international human rights norms and warning that it would reassess its relationship with Uganda. Similarly, the UN High Commissioner for Human Rights called the legislation 'shocking' and 'discriminatory,' urging its immediate repeal. Outside of official government action, Western-based human rights organizations, NGOs, and civil society groups amplified the global outcry. Advocacy campaigns were launched to pressure the Ugandan government, while some multinational corporations voiced concern about the law's potential impact on employees and business operations in the country. Despite this international backlash, Ugandan officials have welcomed the recent restoration of World Bank funding, portraying it as an endorsement of the country's sovereignty and development agenda.
USA Today
35 minutes ago
- USA Today
Intense Russian air attack on Ukraine's capital Kyiv kills 3, wounds 49
Intense Russian air attack on Ukraine's capital Kyiv kills 3, wounds 49 Show Caption Hide Caption Trump says Putin will respond to Ukraine attack after phone call President Donald Trump spoke with Russian President Vladimir Putin in an hour-long phone call, which he described as a "good conversation." KYIV, June 6 (Reuters) - Russia launched an intense missile and drone barrage at the Ukrainian capital in the early hours of Fridayand three people were killed, Ukrainian officials said, as powerful explosions reverberated across the country. The attacks followed a warning from Russian President Vladimir Putin, conveyed via U.S. President Donald Trump, that the Kremlin would hit back after Ukrainian drones destroyed several strategic bomber aircraft in attacks deep inside Russia. Kyiv'smilitary administration said three people were killed in the attacks on Kyiv after the mayor initially put the death toll at four. The three were first responders who had rushed to the scene of one of the strikes, Interior Minister Ihor Klymenko said. "Overnight, Russia 'responded' to its destroyed aircraft… by attacking civilians in Ukraine…. Multi-storey buildings hit. Energy infrastructure damaged," Foreign Minister Andrii Sybiha wrote on X. More: 'Sometimes you have to let them fight': Trump compares Russia, Ukraine to brawling children President Volodymyr Zelenskiy said 49 people nationwide had been injured in the overnight attacks, which also struck several other towns and cities as well as Kyiv, as he called on Ukraine's Western allies to ramp up pressure on Russia. The air force said Russia had used 407 drones, one of the largest numbers recorded in a single attack. Forty-five cruise and ballistic missiles were also fired, it said. Kyiv's metro transport system was disrupted by a Russian strike that hit and damaged tracks between stations, Kyiv's military administration said. The state rail company said it was also diverting some trains due to rail damage outside the city. BOOMING EXPLOSIONS Reuters witnesses reported a series of booming explosions powerful enough to rattle windows far from the impact sites. Some Kyiv residents sought shelter in metro stations, or in underground car parks. In the capital's Solomianskyi district, a Russian drone slammed into the side of an apartment building, leaving a gaping hole and burn marks, a Reuters photographer at the scene said. Falling concrete blocks from the building crushed cars parked below. Two police investigators were examining what appeared to be the drone's engine. More: Trump says Putin vowed retaliation against Ukraine after major drone attack Earlier in the night, Reuters reporters heard the sound of Russian kamikaze drones buzzing in the sky, accompanied by the sounds of outgoing fire from Ukrainian anti-aircraft fire. Zelenskiy called for concerted pressure on Russia. "If someone is not applying pressure and is giving the war more time to take lives – that is complicity and accountability. We must act decisively," he wrote on X. As well as Kyiv, Russian forces also struck industrial facilities and infrastructurein the western city of Ternopil, leaving parts of it without power, mayor Serhii Nadal said. The regional administration said the attack had injured 10 people and recommended that residents temporarily stay inside due to a high concentration of toxic substances in the air after a fire. Five people were also injured in the northwestern city of Lutsk where an attack damaged private homes, educational institutions and a government building, according to mayor Ihor Polishchuk. Ukrainian military said it had launched a pre-emptive strike overnight on the Engels and Dyagilevo airfields in the Russian regions of Saratov and Ryazan, in addition to striking at least three fuel reservoirs. In one of the most audacious attacks of the war between Ukraine and Russia, Ukrainian spies last weekend destroyed some of Russia's strategic bomber aircraft on the ground using quadrocopter drones hidden in wooden sheds. After a phone conversation with Putin on Wednesday, Trump said the Kremlin was planning an unspecified response to the Ukrainian attack on the Russian air bases. (Reporting by Tom Balmforth, Max Hunder, Gleb Garanich and Anastasiia Malenko; Writing by Ron Popeski; Editing by Raju Gopalakrishnan, Clarence Fernandez and Gareth Jones)
Yahoo
an hour ago
- Yahoo
Bitcoin, Ether Bulls Hit With $800M Liquidation as Trump-Musk Tussle Rattles BTC, ETH
A late-night Twitter spat between President Donald Trump and Elon Musk sparked fresh uncertainty in global markets, sending major cryptocurrencies tumbling and wiping out nearly $1 billion in leveraged bets. Bitcoin BTC dropped below $101,000 overnight before bouncing modestly, with DOGE and ADA among the worst hit, down over 6% each in the past 24 hours. The CoinDesk 20 Index, which tracks the largest crypto assets, shed over 5%. Data from CoinGlass shows that traders lost $988 million in liquidations — of which $888 million were long positions — indicative of a wipeout in bullish positions. Exchanges like Bybit and Binance saw the biggest hits, with Bybit alone accounting for nearly $354 million in liquidations. The liquidations largely hit major tokens, with bitcoin leading the pack at over $342 million liquidated in the past 24 hours, according to CoinGlass data. Ether ETH followed with $286 million, reflecting the sharp sell-offs across the broader market. Other tokens like Solana's SOL and Dogecoin DOGE saw $51 million and $27 million liquidated, respectively, as altcoin traders found themselves on the wrong side of the sudden downturn. (Coinglass) XRP XRP wasn't spared either, with $23 million in positions wiped out. The data also shows that high-leverage plays on memecoins, such as 1000PEPE, added to the volatility, as traders rushed to exit. Liquidations to the forced closure of a trader's leveraged position when they can no longer meet the margin requirements. This typically occurs when the price of the underlying asset moves against their position, causing them to lose a large portion, or all, of their initial investment. A cascade of liquidations often indicates market extremes, where a price reversal could be imminent as market sentiment overshoots in one direction. The sell-off comes as Trump accused Musk of going 'crazy' and threatened to terminate government contracts with his companies, while Musk lashed back by linking Trump to Jeffrey Epstein's files. The clash overshadowed what had been a mostly bullish trend for crypto markets in recent weeks, intensifying a profit-taking bout from the start of this week.
