Latest news with #TraderTraitor
Arabian Post
08-05-2025
- Business
- Arabian Post
G7 to Confront North Korea's Crypto-Funded Cybercrime Surge
Leaders of the Group of Seven nations are set to address the escalating threat of North Korea's cryptocurrency-fueled cybercrime at their upcoming summit in Alberta, Canada. The agenda reflects growing international concern over Pyongyang's use of digital asset theft to circumvent sanctions and finance its weapons programmes. North Korea has emerged as a dominant force in global cybercrime, with its state-sponsored hacking groups, notably the Lazarus Group and TraderTraitor, orchestrating sophisticated attacks on cryptocurrency platforms. In 2024 alone, these groups were responsible for stealing over $1.3 billion in digital assets, accounting for approximately 61% of the total crypto thefts that year. Such activities have significantly bolstered North Korea's foreign currency reserves, with cyberattacks reportedly generating up to 50% of the country's foreign exchange earnings. One of the most significant incidents attributed to North Korean hackers was the $1.5 billion theft from the Dubai-based cryptocurrency exchange Bybit in early 2025. The attackers employed malware-laden trading applications to infiltrate the platform, subsequently laundering the stolen funds through a complex network of blockchain transactions. This breach not only marked the largest crypto heist to date but also underscored the regime's advanced cyber capabilities. Beyond large-scale exchange hacks, North Korean cybercriminals have diversified their tactics to include social engineering schemes. The 'pig butchering' scam, for instance, involves operatives establishing fake online relationships to manipulate victims into investing in fraudulent cryptocurrency ventures. Such schemes have defrauded individuals, particularly retirees, of billions of dollars, further fueling Pyongyang's illicit revenue streams. The international community has responded with a series of sanctions and regulatory measures aimed at curbing North Korea's cyber activities. In May 2025, the U.S. Treasury's Financial Crimes Enforcement Network proposed banning Cambodia-based financial firm Huione Group from accessing the U.S. financial system. Huione is accused of laundering at least $4 billion in illicit funds, including $73 million in cryptocurrency linked to North Korean cyber heists. Similarly, South Korea imposed sanctions on 15 North Korean individuals involved in cyber theft and crypto heists, targeting their overseas operations that funnel funds back to Pyongyang's weapons development programmes. See also FFGI Set to Launch ERC-20 FFG Token to Transform Film Financing Despite these efforts, North Korea continues to refine its cyber strategies. The regime has reportedly infiltrated foreign companies by deploying operatives posing as freelance IT workers, thereby gaining access to sensitive systems and facilitating further cyberattacks. Such tactics not only enhance the regime's ability to steal digital assets but also pose significant risks to global cybersecurity. Arabian Post – Crypto News Network
WIRED
14-04-2025
- Business
- WIRED
TraderTraitor: The Kings of the Crypto Heist
Apr 14, 2025 6:00 AM Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea's TraderTraitor is one of the most sophisticated cybercrime groups in the world. ANIMATION: JAMES MARSHALL On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world's second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out. The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea's elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor. Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software. 'We were waiting for the next big thing,' says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. 'They didn't go away. They didn't try to stop. They were clearly plotting and planning—and they're doing that now,' he says. North Korea's hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea's cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom's nuclear programs. Increasingly, that means stealing cryptocurrency. Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency. TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency. 'They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,' says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. 'The Jade Sleet group [TraderTraitor] is one of the most sophisticated groups within that echelon,' she says. TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. 'They walked off with very little money,' says DTEX Systems's Barnhart. 'In that moment you had a real, significant shift.' Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. 'TraderTraitor is the most sophisticated of all,' he says. 'And why? Because APT38 was the A team.' Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan. TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. 'They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They're focused on that entire industry, understanding it backwards and forwards,' says Microsoft's DeGrippo. GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub's research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks' Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor. The group has been seen using 'custom backdoors,' such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google's Threat Intelligence Group. 'These are typically heavily obfuscated to prevent detection and thwart analysis,' Hernandez says. 'Once UNC4899 [TraderTraitor] has gained access to valid credentials, we've observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.' Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit. 'The second step of the laundering process is to 'layer' the stolen funds in order to attempt to conceal the transaction trail,' Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions. 'North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,' Elliptic says in its blog post. In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. 'That could impact any tech industry, any organization that uses that software,' says Andy Piazza, senior director for threat research at Unit 42. As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42's recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect. 'You can definitely tell that they're stepping up,' Piazza says. Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. 'It seems more coordinated that they're not bumping into each other out in the battle space,' Piazza says. 'They're really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.' North Korea's hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some 'overlap,' Piazza says. 'If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you're looking for developers before the day is out, you would have North Koreans in your inbox,' Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country's different groups, and there's the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says. 'Whenever we attribute this [hacking] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?'
Yahoo
04-03-2025
- Business
- Yahoo
How North Korea cracked Bybit's crypto safe to steal $1.5 billion in a record heist
In late February, hackers breached the Dubai-based Bybit, one of the world's largest cryptocurrency exchanges, and stole about $1.5 billion of Ethereum. It was the largest hack in crypto's Bitcoin. Specifically, the firm builds open-source software that companies like Bybit use to create online wallets to store their crypto. The wallets are akin to bank vaults that need multiple keys to be unlocked. Bybit used Safe to safeguard at least $1.5 billion of Ethereum, the world's second largest cryptocurrency by market capitalization. Any time an employee from Bybit wanted to move the exchange's Ethereum to another location, he or she signed into Safe's website. Because Safe's software is open-source, the company and Bybit had no formal business relationship, Stefan George, one of the original developers behind Safe's technology, told Fortune. Even as Bybit was placing stores of Ethereum in Safe's digital vault, North Korea's group of elite hackers lay in wait, watching their moves. 'They prepared it over a very long period of time, like definitely more than a month … probably many months,' George said. Then they pounced. The Safe team has about 30 engineers, and a handful of them are 'sys admins,' or system administrators. Sys admins are senior developers who are able to update Safe's live website and code. North Korean hackers targeted one admin in what was likely a phishing attack, George said, probably by tricking them into downloading an application or divulging personal info. The FBI has called the tactic North Korean hackers use 'TraderTraitor.' George wouldn't disclose any more details about how a Safe employee was tricked, citing an ongoing investigation. After hackers duped the Safe system admin, they used their access to the person's controls to download malware to the developer's machine, which gave North Korea control over the admin's computer, George said. From there, hackers updated Safe's website with a snippet of code designed exclusively for Bybit, like a virus that activates when in contact with the right host. In late February, the dormant code detected that a Bybit employee had opened its Safe account and was about to authorize a transaction. At the last moment, hackers swapped in a new command to drain Bybit's crypto holdings. The employee unknowingly authorized the command, and North Korea was suddenly flush with $1.5 billion in crypto. Two minutes after the heist, Safe's website was updated to hide the hackers' tracks and erase the code snippet, according to a security investigation Bybit commissioned. The investigation into how North Korea compromised a Safe developer's computer is still ongoing, George told Fortune. Goldberg, the CEO of Chaos Labs, told Fortune that the hack of Bybit is indicative of a broader problem in software. The vast majority of programmers use code from other programmers, who reference apps built by yet another batch of developers. 'We're building on houses of cards, and you know what you build,' he said. 'You don't know what's going on underneath.' This story was originally featured on
Yahoo
27-02-2025
- Business
- Yahoo
The $1.5 billion Bybit hack was pulled off by North Korean agents, FBI and the crypto exchange say
One of the largest publicly-known thefts of cryptocurrency was conducted by North Korean hackers, according to the FBI, who stole $1.5 billion worth of Ethereum from a popular crypto exchange. The funds were stolen from Dubai-based ByBit on Feb. 21 by a group called TraderTraitor, which has been active since at least 2020, according to the Cybersecurity and Infrastructure Agency. The group uses tactics similar to North Korea's Lazarus Group, which ByBit has said is behind the hack. 'TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,' the FBI said in an announcement posted late on Wednesday. 'It is expected these assets will be further laundered and eventually converted to fiat currency.' Elliptic, a blockchain analytics firm that focuses on financial crime and money laundering detection, estimates that 46% of the stolen assets have been moved into about 50 different crypto wallets, each of which holds about 10,000 Ethereum. That comes out to about $626 million. An investigation commissioned by ByBit and carried out by Sygnia determined that the root cause of the hack originated from malicious code injected in SafeWallet's Amazon Web Services (AMZN) infrastructure. ByBit itself was not compromised, according to the report. Earlier this week, ByBit CEO Ben Zhou announced that his firm had launched a 'bounty site' targeting the Lazarus Group. 'We will not stop until Lazarus or bad actors in the industry is eliminated,' he said. The ByBit hack is far larger than even the other major thefts that have hit the crypto industry. That includes the 2021 hack of Poly Network, when hackers pilfered $610 million, and the 2022 hack of Ronin Network, which saw thieves steal $615 million. 'Bybit has now become the victim of Web3's largest theft to date,' blockchain analytic firm Certik said in a blog post. 'The escalating frequency and sophistication of these attacks highlight major gaps in operational security.' For the latest news, Facebook, Twitter and Instagram.
Yahoo
27-02-2025
- Business
- Yahoo
North Korea was behind the $1.5B Bybit crypto hack, FBI says
North Korea was behind the $1.5B Bybit crypto hack, the FBI said. Virtual assets were stolen from Dubai-based cryptocurrency exchange Bybit earlier this month. It's believed to be the biggest digital heist in history. North Korea was likely behind the theft of $1.5 billion in virtual assets from Dubai-based cryptocurrency exchange Bybit, according to the FBI. It said that a North Korean group called TraderTraitor, which is also referred to as the Lazarus Group, was behind the hack. Last Friday, Bybit said that hackers had seized control of a wallet used to store Ethereum, and transferred its contents to another address. Ben Zhou, Bybit's CEO, said that the hack had affected around 401,000 Ethereum and had occurred as the company attempted a routine transfer from a cold wallet — an offline storage system — to a warm wallet used for daily trading. "Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic," the company said in a post on X. On Wednesday, the FBI said that TraderTraitor actors were "proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains." "It is expected these assets will be further laundered and eventually converted to fiat currency," it added. It also urged the private sector to help block transactions from addresses associated with TradeTraitor. Blockchain investigations firm TRM described the hack as the "largest exploit on record," and said that, with a "high degree of confidence," it believed North Korea was behind the theft. "This assessment is based on substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts," it said. Bybit is one of the largest crypto exchanges in the world. Jake Moore, a UK-based cybersecurity advisor, told BI that the attack exposed vulnerabilities in cryptocurrency security, especially storage systems. "The level of coordination of this attack points towards an established group large enough and knowledgable enough to pull this off," he said. In a post on X, Bybit's Zhou shared the FBI announcement, as well as a link to a site offering a $140 million bounty for help in tracing and freezing the stolen assets. North Korea has been behind a string of cyber attacks and online heists in recent years, with security experts saying that it uses them as a source of much-needed funds to boost its economy. "Due to government support and direction, cyber-attacks have become a thriving 'field' in North Korea, both for classic espionage and to supplement its dire finances," cyber security firm NCC Group said in a 2022 report. Read the original article on Business Insider
