North Korea Hackers Target Crypto Firms
Security firms have linked a sophisticated supply chain attack to North Korean hacker group TraderTraitor (UNC4899), known for previous large-scale breaches NK hackers. The attackers exploited AWS credentials, Docker, and Kubernetes to steal source code and private keys from crypto platforms and staking services.
TraderTraitor, also known as Jade Sleet, UNC4899, and Pukchong, is a North Korean-aligned hacking group linked to the Lazarus Group. This group focuses on cryptocurrency theft to fund North Korea's weapons programs and evade sanctions. In 2025 alone, North Korean hackers stole over $2 billion in cryptocurrency, accounting for 76% of all service compromises. This is a 51% increase from the $1.3 billion stolen in 2024. The total amount of cryptocurrency stolen by North Korea is estimated to be $6.75 billion. TraderTraitor uses sophisticated techniques, including social engineering, supply chain attacks, and embedding IT workers within crypto firms to gain privileged access. They often target multiple employees simultaneously, as seen in the $308 million DMM Bitcoin hack. The group launders stolen funds through Chinese-language services, bridge services, and mixing protocols, often using a 45-day laundering cycle. They have also been known to target high-net-worth individuals through social engineering. A recent attack exploited the React2Shell vulnerability (CVE-2025-55182) and stolen AWS credentials to infiltrate cloud environments. The attackers stole source code and private keys, targeting staking platforms, exchange software vendors, and cryptocurrency exchanges. They downloaded five Docker images and stole software components related to ChainUp customers.
