UNC4899, Jade Sleet
TraderTraitor is a moniker assigned by the U.S. government to a series of malicious cryptocurrency applications developed by North Korean state-sponsored advanced persistent threat (APT) groups, notably the Lazarus Group, also known as APT38, BlueNoroff, and Stardust Chollima. Active since at least 2020, these actors have targeted various entities within the blockchain technology and cryptocurrency sectors.
The group's modus operandi involves disseminating trojanized cryptocurrency trading or price prediction applications, crafted using cross-platform JavaScript code with the Node.js runtime environment and the Electron framework. These applications are often derived from open-source projects and are promoted through well-designed websites to appear legitimate. Notable examples include DAFOM, TokenAIS, and CryptAS.
Initial intrusion attempts typically commence with spear-phishing campaigns targeting employees in roles such as system administration or software development/IT operations (DevOps). The phishing messages often masquerade as recruitment efforts, offering lucrative job opportunities to entice recipients into downloading the compromised applications. Once installed, these applications enable the threat actors to gain unauthorized access to victims' computers, allowing them to propagate malware across networks, steal private keys, and exploit other security vulnerabilities. Subsequent malicious activities may include executing fraudulent blockchain transactions.