TraderTraitor: The Kings of Crypto Theft

On February 21, the largest cryptocurrency theft in history was unleashed. A group of hackers managed to seize a digital wallet belonging to Bybit, the second-largest cryptocurrency exchange in the world, stealing nearly $1.5 billion in digital tokens. The criminals quickly moved the money among multiple wallets and cryptocurrency services to disguise their activities before starting to withdraw the stolen funds. This digital heist displayed the typical characteristics of an operation orchestrated by one of the most elite subgroups of hackers from North Korea.

Although Bybit managed to remain solvent through cryptocurrency loans and activated a reward program to trace the stolen funds, the FBI quickly attributed the attack to the hackers known as TraderTraitor. This group had already been linked to other notorious cryptocurrency thefts and supply chain software breaches.

Michael Barnhart, a cybersecurity researcher specializing in North Korea, points out that hackers from this country, alongside their counterparts from China, Russia, and Iran, are considered one of the most sophisticated cyber threats facing Western democracies. North Korea's cyber operations pursue specific objectives, such as funding the regime's nuclear programs. In this sense, cryptocurrency theft has gained prominence in recent years.

For at least five years, Kim Jong-un's totalitarian regime has sent highly skilled tech workers to infiltrate companies around the world to earn salaries that they send back home. In some cases, after being laid off, these workers extort their former employers by threatening to disclose sensitive information. At the same time, North Korean hackers, included in the broader group known as Lazarus, have stolen billions in cryptocurrency from exchanges and global companies. TraderTraitor is one of the factions within Lazarus, operating under the supervision of North Korea's intelligence agency, the General Reconnaissance Bureau.

This group, also known as Jade Sleet, Slow Pisces, and UNC4899, specializes in cryptocurrency theft. Sherrod DeGrippo, threat intelligence strategy director at Microsoft, highlights the use of a variety of creative techniques to access blockchain platforms and trading forums. Since its emergence in 2022, TraderTraitor has been linked to multiple significant thefts; one of the most notable was the theft of $308 million from the Japanese company DMM in March 2024.

TraderTraitor conducts targeted attacks on employees of Web3 companies through spear-phishing emails, typically directed at those working in software development. These hackers create profiles of their targets and monitor the most active trading platforms in the industry. In July 2023, GitHub, owned by Microsoft, revealed that TraderTraitor had created fake accounts on its platform and other social networks to lure developers and ultimately infect them with malware.

From access to cryptocurrencies or digital wallets, money laundering follows a well-established pattern. To prevent wallets from being frozen, the hackers quickly exchange the stolen tokens for more common cryptocurrencies, like ether and bitcoin, which are harder to trace. Additionally, funds are split into smaller amounts and sent to multiple wallets, avoiding a trace of the transactions.

Currently, TraderTraitor is also implicated in attacks on supply chain software companies, with JumpCloud being one of the most notorious cases in June 2023. This modality of attack can offer a more stealthy access to their true targets.

As TraderTraitor has gained more attention, an improvement in their operations and attempts to evade detection have been observed. Recent investigations have shown that they have employed malware capable of self-deleting to hinder identification. Unlike Russian hacker groups, which tend to operate in a more chaotic manner, North Korean groups appear to be better organized, demonstrating a remarkable ability to maintain privacy and persistence.

The complexity of North Korea's hacking operations could be even greater than previously thought. Experts suggest that cryptocurrency hackers and undercover IT workers may be coordinating their tactics, indicating an overlap in their methods of operation.