Lazarus Subgroup ‘TraderTraitor’ Disrupts Cloud Platforms and Poisons Supply Chains

The North Korean cyber threat landscape has seen a surge in sophistication with the activities of “TraderTraitor,” a notorious subgroup under the Lazarus Group umbrella.

Tracked by various security vendors as UNC4899, Jade Sleet, TA444, and Slow Pisces, TraderTraitor has specialized in high-impact intrusion campaigns against the global cryptocurrency ecosystem and, increasingly, the cloud supply chain.

Since its emergence in public reporting in 2022, TraderTraitor has left a trail of compromised developer workstations, poisoned open-source packages, and some of the largest cryptocurrency thefts ever disclosed, such as the Bybit and DMM Bitcoin heists.

Advanced Social Engineering

TraderTraitor’s campaigns blend traditional social engineering with nation-state-level technical sophistication.

Initial compromise frequently begins through tailored phishing lures often masquerading as recruiters reaching out to DevOps or software engineers at crypto-focused firms.

Victims are enticed to download trojanized cryptocurrency trading applications, typically constructed using Electron and Node.js-based wrappers over open-source crypto tools.

According to the Wiz report, these applications deliver second-stage remote access malware, such as the well-documented MANUSCRYPT and RN Stealer families, capable of harvesting credentials, session tokens, SSH keys, and cloud configuration files.

Application payloads are often signed using legitimate or fraudulently obtained Apple certificates, enabling them to bypass endpoint detection and gain initial foothold.

Once inside a target network or developer endpoint, the malware’s update routines beacon to attacker-controlled command-and-control servers, retrieving bespoke payloads and facilitating movement across internal systems.

Cloud-Focused Supply Chain Disruption

A defining shift in TraderTraitor’s operational playbook since 2023 is its exploitation of the software supply chain leveraging public code repositories, poisoned npm and PyPI packages, and code collaboration platforms as entry points.

Notably, in several incidents throughout 2023 and 2024, TraderTraitor operators impersonated developers or open-source contributors on GitHub and Slack, seeding malicious JavaScript dependencies into the workflows of targeted blockchain and DeFi organizations.

Their supply chain focus reached a new inflection point with the compromise of JumpCloud, a well-known cloud-based identity provider, in July 2023.

TraderTraitor was able to breach JumpCloud’s infrastructure via phishing of an internal employee, then weaponize its privileged customer access to deliver a malicious update to select cryptocurrency industry tenants.

The attackers used this entry to traverse into internal networks of downstream organizations demonstrating a rare and impactful SaaS pivot.

In 2024–2025, TraderTraitor orchestrated two of the largest cryptocurrency thefts ever documented.

The DMM Bitcoin and Ginco breach involved luring a developer through a fake job offer, deploying Python-based remote administration tools, harvesting cloud credentials, and ultimately using unencrypted channels to siphon over 4,500 BTC ($308 million).

The Bybit exchange hack saw the initial compromise of a Safe{Wallet} developer via a poisoned Docker image and Python app, exfiltration of AWS session tokens, targeted enumeration of IAM and S3 resources, and real-time JavaScript tampering of a Next.js frontend to divert over 400,000 ETH and staked ETH, with final losses reaching $1.5 billion.

These incidents were notable not only for their scale but also for the attackers’ systematic abuse of cloud-native assets: targeting developer credentials and cloud API keys and leveraging vulnerable or overly permissive SaaS integrations.

With multiple law enforcement and industry attributions, including the FBI and Japan’s NPA TraderTraitor is now widely recognized as a critical financial arm of North Korea’s cyber apparatus.

Their campaign signatures combine nation-state persistence with the opportunistic agility of elite cybercriminals, rapidly moving from initial access to exfiltration.

Their evolving embrace of poisoned open-source supply chains, cloud access brokerages, and trusted SaaS vendors underscores a growing imperative for organizations to harden developer endpoints, enforce strict privilege boundaries, and secure CI/CD and cloud infrastructure from both direct and transitive attacks.

As financial pressure and global sanctions motivate North Korea’s continued targeting, TraderTraitor is expected to persist as a major force in cloud and cryptocurrency cybercrime.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates