Audit log

Every state-changing event for TraderTraitor / UNC4899: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-03 00:08:12Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,915,107

   sig

   2rTWUUfqWkNi…rBLbSVKZcopyexplorer ↗

   hash

   5yU58t7VvPS6…mS1fFcjscopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (35191 B) ▸

   {"actor":"system:backfill","investigation_id":"24036015-c6dd-4ee3-8c4b-5adc4f09d7fd","kind":"publish","page_slug":"tradertraitor-unc4899","published_at":"2026-06-03T00:08:12.817Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TraderTraitor / UNC4899","sections":[{"content":"TraderTraitor is the FBI's formal designation for a specific cluster of North Korean state-sponsored malicious cyber activity targeting the cryptocurrency sector. The same cluster is tracked under multiple vendor names: UNC4899 (Google Threat Intelligence / Mandiant), Jade Sleet (Microsoft Threat Intelligence Center), Slow Pisces (Palo Alto Unit 42), and PUKCHONG (internal DPRK designation). These designations refer to the same or heavily overlapping intrusion set. Mandiant assessed with high confidence that UNC4899 operates under North Korea's Reconnaissance General Bureau (RGB), specifically its cryptocurrency-focused element within the 3rd Bureau. The broader Lazarus Group umbrella — which also encompasses APT38, BlueNoroff, and Stardust Chollima — is the parent organizational label used by some researchers. The April 2022 joint advisory from the FBI, CISA, and U.S. Treasury (AA22-108A) was the first formal U.S. government attribution, publicly naming the threat cluster 'TraderTraitor' and linking it to these legacy designations. A related but distinct North Korean cluster, UNC4736 (also tracked as Citrine Sleet / AppleJeus), is responsible for separate incidents such as the Drift Protocol hack; the two operate under the same RGB parent but employ different TTPs and target sets.","heading":"Attribution and Organizational Structure","severity":"critical","sources":[{"credibility":1,"name":"CISA Advisory AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"},{"credibility":2,"name":"Wiz Blog: TraderTraitor Deep Dive","type":"research","url":"https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: Assessed Cyber Structure and Alignments of North Korea in 2023","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023"}]},{"content":"TraderTraitor has been formally attributed to a series of high-value cryptocurrency thefts spanning 2022 to 2026.\n\nBybit ($1.5 billion, February 2025): On February 21, 2025, TraderTraitor actors stole approximately 400,000 ETH and staked ETH — worth approximately $1.5 billion at the time — from cryptocurrency exchange Bybit. The FBI issued a public service announcement on February 26, 2025 formally attributing the theft to North Korea's TraderTraitor. The attack involved compromising an employee machine at Safe{Wallet} (the multisig platform used by Bybit), injecting malicious JavaScript into the Safe{Wallet} AWS S3-hosted frontend, and manipulating transaction logic to redirect a Bybit cold wallet transfer to attacker-controlled addresses. Stolen assets were rapidly converted to Bitcoin and dispersed across thousands of blockchain addresses. The FBI listed 51 Ethereum wallet addresses connected to the operation and urged virtual asset service providers to block transactions involving them.\n\nDMM Bitcoin ($308 million, May 2024): In late March 2024, a TraderTraitor actor posing as a recruiter on LinkedIn contacted an employee of Ginco, a Japanese enterprise cryptocurrency wallet software company, and delivered a malicious Python script disguised as a pre-employment coding test. After compromising Ginco's communications system via stolen session cookies, TraderTraitor actors manipulated a legitimate transaction request by a DMM employee, resulting in the theft of 4,502.9 BTC (approximately $308 million). The FBI, Department of Defense Cyber Crime Center (DC3), and Japan's National Police Agency (NPA) jointly attributed this theft to TraderTraitor in December 2024.\n\nRonin Network / Axie Infinity ($620 million, March 2022): In March 2022, the Ronin Network bridge was exploited for approximately $620 million in ETH and USDC. The FBI formally attributed the attack to the Lazarus Group and APT38, which overlap with TraderTraitor. The intrusion began via a fake job offer PDF delivered to a Sky Mavis engineer, which led to compromise of validator private keys.\n\nJumpCloud Supply Chain Attack (July 2023): TraderTraitor (UNC4899) compromised JumpCloud, a cloud identity and access management provider, via spear phishing, then injected malicious code into JumpCloud's command framework to deliver payloads to fewer than five downstream cryptocurrency industry customers. The attack was investigated and attributed by Mandiant with high confidence to UNC4899. An OPSEC failure — a direct connection from a Pyongyang IP block (175.45.178.0/24) to an attacker-controlled relay — confirmed the attribution.\n\nKelpDAO ($292 million, April 2026): TRM Labs attributed the KelpDAO exploit in April 2026 to TraderTraitor based on pre-funding analysis traceable to known TraderTraitor laundering networks. Approximately $175 million of the proceeds was converted to Bitcoin via THORChain.","heading":"Primary Attributed Incidents","severity":"critical","sources":[{"credibility":1,"name":"FBI / IC3 PSA: North Korea Responsible for $1.5 Billion Bybit Hack (I-022625-PSA)","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":1,"name":"FBI Press Release: FBI, DC3, and NPA Attribution of $308 Million DMM Bitcoin Theft to TraderTraitor","type":"regulatory","url":"https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom"},{"credibility":2,"name":"The Hacker News: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"credibility":2,"name":"CoinDesk: Ronin Network Suffers $625M Exploit","type":"news_article","url":"https://www.coindesk.com/tech/2022/03/29/axie-infinitys-ronin-network-suffers-625m-exploit"},{"credibility":2,"name":"TRM Labs: North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"},{"credibility":2,"name":"CoinTelegraph: FBI Reveals DMM Crypto Hack $300M North Korea","type":"news_article","url":"https://cointelegraph.com/news/fbi-reveals-dmm-crypto-hack-300m-north-korea"}]},{"content":"TraderTraitor employs a documented progression of attack phases, which have evolved in sophistication from 2020 to 2026.\n\nPhase 1 — Trojanized Applications (2020–2022): Attackers posed as recruiters via LinkedIn, Telegram, and Slack, directing targets to download fake cryptocurrency trading applications built on the Electron/Node.js framework. These apps carried the MANUSCRYPT remote access trojan. Digital signatures used fraudulent Apple Developer certificates. Hard-coded C2 URLs delivered AES-256 encrypted second-stage payloads.\n\nPhase 2 — Open-Source Supply Chain Poisoning (2023): TraderTraitor shifted to GitHub collaboration invitations and malicious npm packages. Typosquatted PyPI packages (e.g., pycryptoenv, pycryptoconf) and trojanized JavaScript packages were distributed on public repositories. The group was the first nation-state APT known to leverage public package repositories for targeted supply chain attacks.\n\nPhase 3 — Cloud Service Provider Compromise (2023): The JumpCloud attack demonstrated TraderTraitor's willingness to compromise upstream SaaS vendors to reach downstream cryptocurrency customers, mirroring the 3CX and Trading Technologies supply chain cascades documented by Mandiant.\n\nPhase 4 — Living-off-the-Cloud (LotC) (2024–present): Post-initial-access techniques shifted to cloud-native abuse: harvesting AWS session tokens to bypass MFA, enumerating IAM roles and S3 buckets, injecting JavaScript into cloud-hosted web frontends, modifying Kubernetes deployment configurations for persistence, and escaping privileged containers to deploy additional backdoors. The March 2026 UNC4899 breach of an unnamed cryptocurrency firm (described by The Hacker News) exemplifies this phase: a developer AirDropped a trojanized archive to a corporate device, which when executed spawned malware masquerading as the Kubernetes CLI tool, establishing a backdoor used to modify MFA policies, extract CI/CD service account tokens, tamper with Cloud SQL databases, and withdraw several million dollars in digital assets.\n\nPhase 5 — ClickFix and AI-Assisted Delivery (2025): Unit 42 documented a 'Slow Pisces' (TraderTraitor) campaign delivering RN Loader and RN Stealer via GitHub-hosted coding challenges sent after fake LinkedIn recruiter contact. Separately, starting in April 2025, Lazarus Group operators adopted ClickFix social engineering to deliver the GolangGhost backdoor — a Go-based cross-platform RAT capable of file upload/download, host information exfiltration, and browser data theft — to cryptocurrency job seekers on both Windows and macOS.\n\nKey malware families attributed to TraderTraitor include: MANUSCRYPT (RAT), RN Loader (first-stage loader), RN Stealer (Python infostealer), GopherGrabber (Go-based credential stealer), GolangGhost (Go RAT, ClickFix delivery), FULLHOUSE.DOORED (C/C++ HTTP backdoor, JumpCloud campaign), STRATOFEAR (modular backdoor, encrypted C2 config), TIEDYE (macOS multi-protocol backdoor), AGAMEMNON, and BeaverTail.","heading":"Tactics, Techniques, and Procedures (TTPs)","severity":"critical","sources":[{"credibility":2,"name":"Wiz Blog: TraderTraitor Deep Dive","type":"research","url":"https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"},{"credibility":2,"name":"The Hacker News: UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device","type":"news_article","url":"https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html"},{"credibility":2,"name":"Palo Alto Unit 42: Slow Pisces Targets Developers With Coding Challenges and New Customized Python Malware","type":"research","url":"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/"},{"credibility":2,"name":"The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware","type":"news_article","url":"https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html"},{"credibility":1,"name":"CISA Advisory AA22-108A (PDF): TraderTraitor malware application details and TTPs","type":"regulatory","url":"https://www.cisa.gov/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf"}]},{"content":"Following each major theft, TraderTraitor actors have executed rapid and systematic laundering operations. After the February 2025 Bybit heist, the FBI confirmed that stolen ETH was converted to Bitcoin and dispersed across thousands of blockchain addresses within days. Chain analysis by Elliptic and TRM Labs documented the stolen ETH entering Tornado Cash in 28 separate deposits, with the group prioritizing speed and automation over traditional anonymity-maximizing behavior, in part due to heightened scrutiny on mixing infrastructure. THORChain emerged as the preferred ETH-to-BTC conversion mechanism for both the 2025 Bybit proceeds and the 2026 KelpDAO proceeds, with approximately $175 million from KelpDAO converted via THORChain. The IC3 PSA listing 51 Ethereum wallet addresses holding or having held Bybit theft assets was accompanied by calls for virtual asset service providers, RPC node operators, exchanges, and bridges to block transactions involving those addresses. Separately, North Korean hackers struck SBI Crypto for approximately $21 million in late 2025, routing stolen funds through Tornado Cash. The DOJ's August 2025 conviction of Tornado Cash co-founder Roman Storm for running an unlicensed money transmission business is seen by researchers as an enforcement action targeting infrastructure used by groups including TraderTraitor.","heading":"Money Laundering and Asset Dispersal","severity":"critical","sources":[{"credibility":1,"name":"FBI / IC3 PSA: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":2,"name":"TRM Labs: The Bybit Hack — Following North Korea's Largest Exploit","type":"research","url":"https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit"},{"credibility":2,"name":"Elliptic: The Bybit Hack — The Largest Theft in History, Following the Money Trail","type":"research","url":"https://www.elliptic.co/blog/bybit-hack-largest-in-history"},{"credibility":2,"name":"TRM Labs: North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"}]},{"content":"Independent research firms have documented the cumulative scale of cryptocurrency theft attributed to North Korean actors, of which TraderTraitor is the primary named cluster. According to Chainalysis's 2025 annual crypto crime report (published in late 2025 / January 2026), North Korea-linked actors stole $2.02 billion in cryptocurrency in 2025, a 51% year-over-year increase and a record high, accounting for approximately 60% of all reported global crypto theft that year. The total all-time DPRK-attributed theft reached approximately $6.75 billion since 2017. In 2024, North Korean actors stole $1.34 billion across 47 incidents. Through April 2026, TRM Labs reported that North Korea-linked hackers had already stolen $577 million — 76% of all crypto hack losses in the period — with only two major attacks: the $292 million KelpDAO exploit and the $285 million Drift Protocol attack (the latter attributed to a distinct DPRK cluster). North Korea denies responsibility for any of the attributed hacks. For 2022, the Ronin Network heist alone ($620 million) represented the single largest crypto theft at the time. The trajectory shows an acceleration from under 10% of global crypto hack value in 2020–2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025 (TRM Labs figures).","heading":"Scale of Theft: Aggregate Figures","severity":"critical","sources":[{"credibility":2,"name":"Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion (North Korea stole $2B+)","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"CoinDesk: North Korean Hackers Stole a Record $2B of Crypto in 2025, Chainalysis Says","type":"news_article","url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"credibility":2,"name":"TRM Labs: North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"The Block: North Korea Accounts for 76% of 2026 Crypto Hack Losses, Theft Since 2017 Topping $6 Billion","type":"news_article","url":"https://www.theblock.co/post/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs"}]},{"content":"Parallel to TraderTraitor's external attack campaigns, North Korean state-linked actors have also deployed a large-scale scheme to embed fake remote IT workers inside cryptocurrency and technology companies to extract salaries, gain privileged insider access, and enable subsequent theft. This operation overlaps with but is operationally distinct from TraderTraitor's attack cluster. According to reporting by Fortune (August 2025), the number of companies that hired North Korean IT workers grew approximately 220% in the 12 months prior to the report, with infiltrations across more than 320 companies. Operatives have used AI-generated synthetic identities, real-time deepfake video technology during interviews, and U.S.-based facilitators operating 'laptop farms' to route remote access to overseas workers. The DOJ charged Matthew Isaac Knoot, a U.S. citizen in Nashville, for operating such a laptop farm. Five U.S. residents pleaded guilty in 2025 to facilitating the scheme under the DOJ's Operation DPRK Reload (DPRK RevGen initiative). The scheme serves both as a revenue source (workers remit salaries to Pyongyang) and as an access vector that can be activated for high-impact compromise. Chainalysis attributed insider access via embedded IT workers as one of the principal vectors contributing to North Korea's record 2025 theft totals.","heading":"DPRK IT Worker Infiltration (Adjacent Operation)","severity":"high","sources":[{"credibility":2,"name":"Fortune: North Korean IT Worker Infiltrations Exploded 220% Over Past 12 Months","type":"news_article","url":"https://fortune.com/2025/08/04/north-korean-it-worker-infiltrations-exploded/"},{"credibility":2,"name":"TechCrunch: US Sanctions Fraud Network Used by North Korean Remote IT Workers","type":"news_article","url":"https://techcrunch.com/2025/08/27/us-sanctions-fraud-network-used-by-north-korea-to-seek-jobs-and-steal-money/"},{"credibility":2,"name":"Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"}]},{"content":"Multiple government bodies have issued formal advisories, attributions, and sanctions related to TraderTraitor activity. The foundational advisory is the April 18, 2022 joint FBI/CISA/U.S. Treasury advisory (AA22-108A), which formally named the threat cluster 'TraderTraitor,' described its malicious cryptocurrency applications, and provided technical indicators and mitigations. In December 2024, the FBI, DC3, and Japan's NPA issued a joint statement attributing the $308 million DMM Bitcoin theft to TraderTraitor. In February 2025, the FBI's IC3 issued PSA I-022625-PSA attributing the $1.5 billion Bybit theft and listing 51 Ethereum addresses for industry blocking. OFAC has sanctioned multiple cryptocurrency wallet addresses tied to North Korean operations, with the SDN list containing over 1,200 cryptocurrency addresses as of early 2025. Japan's National Cyber Incident Readiness and Strategy Center issued a separate alert on TraderTraitor. A January 2025 joint statement by the United States, South Korea, and Japan attributed the $235 million WazirX hack to Lazarus Group actors. These represent the most comprehensive government attribution of a nation-state cyber actor to cryptocurrency theft in public record.","heading":"Government Advisories and Sanctions","severity":"high","sources":[{"credibility":1,"name":"CISA Advisory AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"},{"credibility":1,"name":"FBI Press Release: FBI, DC3, and NPA Attribution of $308 Million DMM Bitcoin Theft to TraderTraitor","type":"regulatory","url":"https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom"},{"credibility":1,"name":"FBI / IC3 PSA: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":1,"name":"Japan NISC: Alert on TraderTraitor cyberattack by North Korean cyber actors","type":"regulatory","url":"https://www.cyber.go.jp/eng/pdf/Alert_TraderTraitor.pdf"},{"credibility":2,"name":"Business Standard: WazirX $235mn Hack Linked to North Korea — US, Japan, South Korea Joint Response","type":"news_article","url":"https://www.business-standard.com/companies/news/wazirx-crypto-hack-north-korea-us-japan-south-korea-response-125011500597_1.html"}]},{"content":"Numerous government statements and independent researchers have assessed that funds stolen by TraderTraitor and the broader Lazarus Group apparatus are used to finance North Korea's weapons of mass destruction programs and evade international sanctions imposed by the United Nations Security Council and individual nations. The U.S. Treasury and State Departments have explicitly stated this linkage in sanctions press releases. Chainalysis describes the operations as functioning with 'corporate' efficiency, with clear operational separation between initial access, lateral movement, theft execution, and laundering teams. The scale and pace of theft — with individual heists executed in hours after months of preparation — suggests a well-resourced state-directed program. North Korea has publicly denied responsibility for all attributed cryptocurrency thefts, including through a statement in May 2026 calling TRM Labs attribution reports 'slander' (as reported by The Block).","heading":"Strategic Purpose: Sanctions Evasion and Weapons Financing","severity":"high","sources":[{"credibility":2,"name":"Wilson Center: The Bybit Heist — What Happened and What Now","type":"research","url":"https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now"},{"credibility":2,"name":"The Block: North Korea Denies TRM Labs Data Tying It to Major Crypto Hacks","type":"news_article","url":"https://www.theblock.co/post/399854/north-korea-blames-crypto-theft-reports"},{"credibility":2,"name":"Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"}]}],"sources_used":[{"credibility":1,"name":"FBI / IC3 PSA I-022625-PSA: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":1,"name":"FBI Press Release: FBI, DC3, and NPA Attribution — TraderTraitor Responsible for $308M DMM Bitcoin Theft","type":"regulatory","url":"https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom"},{"credibility":1,"name":"CISA Advisory AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"},{"credibility":1,"name":"CISA Advisory AA22-108A (PDF direct)","type":"regulatory","url":"https://www.cisa.gov/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack (JumpCloud)","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"},{"credibility":2,"name":"Mandiant / Google Cloud Blog: Assessed Cyber Structure and Alignments of North Korea in 2023","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023"},{"credibility":2,"name":"Wiz Blog: TraderTraitor Deep Dive","type":"research","url":"https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist"},{"credibility":2,"name":"Palo Alto Unit 42: Slow Pisces Targets Developers With Coding Challenges and New Customized Python Malware","type":"research","url":"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/"},{"credibility":2,"name":"TRM Labs: The Bybit Hack — Following North Korea's Largest Exploit","type":"research","url":"https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit"},{"credibility":2,"name":"TRM Labs: North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion (North Korea $2B+ share)","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"The Block: North Korea Accounts for 76% of 2026 Crypto Hack Losses, TRM Labs","type":"news_article","url":"https://www.theblock.co/post/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs"},{"credibility":2,"name":"Elliptic: The Bybit Hack — The Largest Theft in History, Following the Money Trail","type":"research","url":"https://www.elliptic.co/blog/bybit-hack-largest-in-history"},{"credibility":2,"name":"The Hacker News: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"credibility":2,"name":"The Hacker News: UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device (March 2026)","type":"news_article","url":"https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html"},{"credibility":2,"name":"The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware","type":"news_article","url":"https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html"},{"credibility":2,"name":"CNBC: Hackers Steal $1.5 Billion from Exchange Bybit in Biggest-Ever Crypto Heist","type":"news_article","url":"https://www.cnbc.com/2025/02/21/hackers-steal-1point5-billion-from-exchange-bybit-biggest-crypto-heist.html"},{"credibility":2,"name":"CoinDesk: Axie Infinity's Ronin Network Suffers $625M Exploit","type":"news_article","url":"https://www.coindesk.com/tech/2022/03/29/axie-infinitys-ronin-network-suffers-625m-exploit"},{"credibility":2,"name":"CoinDesk: North Korea Blamed for May's $305M Hack on Japanese Crypto Exchange DMM","type":"news_article","url":"https://www.coindesk.com/policy/2024/12/24/north-korea-blamed-for-may-s-usd305m-hack-on-japanese-crypto-exchange-dmm"},{"credibility":2,"name":"The Record: FBI Largest Crypto Hack of 2024 TraderTraitor","type":"news_article","url":"https://therecord.media/fbi-largest-crypto-hack-2024-tradertraitor"},{"credibility":1,"name":"Japan NISC: Alert on Cyberattack by North Korean Cyber Actors, TraderTraitor","type":"regulatory","url":"https://www.cyber.go.jp/eng/pdf/Alert_TraderTraitor.pdf"},{"credibility":2,"name":"Wilson Center: The Bybit Heist — What Happened and What Now","type":"research","url":"https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now"},{"credibility":2,"name":"The Block: North Korea Denies TRM Labs Data Tying It to Major Crypto Hacks","type":"news_article","url":"https://www.theblock.co/post/399854/north-korea-blames-crypto-theft-reports"},{"credibility":2,"name":"Fortune: North Korean IT Worker Infiltrations Exploded 220% Over Past 12 Months","type":"news_article","url":"https://fortune.com/2025/08/04/north-korean-it-worker-infiltrations-exploded/"},{"credibility":2,"name":"TechCrunch: US Sanctions Fraud Network Used by North Korean Remote IT Workers","type":"news_article","url":"https://techcrunch.com/2025/08/27/us-sanctions-fraud-network-used-by-north-korea-to-seek-jobs-and-steal-money/"},{"credibility":3,"name":"Wikipedia: 2024 WazirX Hack","type":"other","url":"https://en.wikipedia.org/wiki/2024_WazirX_hack"}],"summary":"TraderTraitor (also tracked as UNC4899, Jade Sleet, Slow Pisces, and PUKCHONG) is a North Korean state-sponsored cyber threat cluster operating under the Reconnaissance General Bureau (RGB), formally designated by the FBI, CISA, and U.S. Treasury as responsible for stealing billions of dollars in cryptocurrency from blockchain companies, exchanges, and developers since at least 2020. The cluster is most prominently attributed to the February 2025 Bybit heist — the largest cryptocurrency theft in history at approximately $1.5 billion — as well as the May 2024 DMM Bitcoin theft ($308 million), the July 2023 JumpCloud supply chain attack, and the April 2022 Ronin Network compromise ($620 million). Chainalysis estimates North Korean actors, dominated by TraderTraitor operations, stole $2.02 billion in 2025 alone, pushing their all-time attributed total to approximately $6.75 billion since 2017.","timeline":[{"date":"2022-04-18","event":"FBI, CISA, and U.S. Treasury issue joint advisory AA22-108A formally naming 'TraderTraitor' as a North Korean state-sponsored APT targeting blockchain companies with trojanized cryptocurrency applications.","source":"CISA / FBI / U.S. Treasury","source_url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"},{"date":"2022-03-23","event":"Ronin Network (Axie Infinity) bridge exploited for approximately $620 million in ETH and USDC. FBI later formally attributed the attack to Lazarus Group / APT38 (overlapping with TraderTraitor). Initial access traced to a fake job offer PDF delivered to a Sky Mavis engineer.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2022/03/29/axie-infinitys-ronin-network-suffers-625m-exploit"},{"date":"2023-06-27","event":"UNC4899 (TraderTraitor) executes supply chain attack against JumpCloud, injecting malicious Ruby script into JumpCloud's command framework via spear phishing of JumpCloud employees. Fewer than five downstream cryptocurrency customers compromised. An OPSEC slip — direct connection from Pyongyang IP block — confirmed attribution.","source":"Mandiant / Google Cloud Blog","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"},{"date":"2024-03-28","event":"TraderTraitor actor posing as LinkedIn recruiter contacts Ginco employee with malicious Python script disguised as a pre-employment coding test, initiating the attack chain that ultimately leads to the $308 million DMM Bitcoin theft.","source":"FBI / The Record","source_url":"https://therecord.media/fbi-largest-crypto-hack-2024-tradertraitor"},{"date":"2024-05-31","event":"DMM Bitcoin (Japan) loses 4,502.9 BTC (~$308 million) after TraderTraitor actors use compromised session cookies to access Ginco's communications system and manipulate a legitimate DMM transaction.","source":"CoinDesk","source_url":"https://www.coindesk.com/policy/2024/12/24/north-korea-blamed-for-may-s-usd305m-hack-on-japanese-crypto-exchange-dmm"},{"date":"2024-07-18","event":"WazirX (India) loses approximately $234.9 million in digital assets from a multi-signature wallet. A joint statement by the U.S., South Korea, and Japan in January 2025 attributed the attack to North Korean Lazarus Group actors.","source":"Wikipedia / Business Standard","source_url":"https://en.wikipedia.org/wiki/2024_WazirX_hack"},{"date":"2024-12-24","event":"FBI, DC3, and Japan's NPA issue joint attribution statement formally linking TraderTraitor to the $308 million DMM Bitcoin theft. This is the first formal government attribution of a specific TraderTraitor incident to a named currency theft.","source":"FBI Press Release","source_url":"https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom"},{"date":"2025-02-21","event":"Bybit cold wallet transfer intercepted after TraderTraitor actors compromise a Safe{Wallet} developer machine and inject malicious JavaScript into the Safe{Wallet} AWS S3-hosted frontend. Approximately 400,000 ETH (~$1.5 billion) stolen — the largest cryptocurrency theft in history.","source":"CNBC / IC3","source_url":"https://www.cnbc.com/2025/02/21/hackers-steal-1point5-billion-from-exchange-bybit-biggest-crypto-heist.html"},{"date":"2025-02-26","event":"FBI issues IC3 PSA I-022625-PSA formally attributing the Bybit theft to North Korea's TraderTraitor, listing 51 Ethereum wallet addresses and urging industry to block related transactions.","source":"FBI / IC3","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-04-01","event":"Lazarus Group adopts ClickFix social engineering technique to deliver GolangGhost malware to cryptocurrency job seekers, as documented by security researchers. The campaign targets both Windows and macOS users via fake video interview platforms.","source":"The Hacker News","source_url":"https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html"},{"date":"2025-12-18","event":"Chainalysis publishes 2025 crypto crime report, attributing $2.02 billion in cryptocurrency theft to North Korean actors — a record high — accounting for approximately 60% of all global crypto theft in 2025. Cumulative DPRK-attributed theft reaches approximately $6.75 billion since 2017.","source":"CoinDesk / Chainalysis","source_url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"date":"2026-03-09","event":"Google Threat Intelligence Group (formerly Mandiant) publishes report on UNC4899's breach of an unnamed cryptocurrency firm after a developer AirDropped a trojanized archive to a corporate device. Attackers used living-off-the-cloud techniques to steal several million dollars via Kubernetes and Cloud SQL tampering.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html"},{"date":"2026-04-18","event":"KelpDAO exploited for approximately $292 million. TRM Labs attributes the attack to TraderTraitor based on pre-funding analysis traceable to known TraderTraitor laundering networks. Approximately $175 million converted to Bitcoin via THORChain.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"date":"2026-04-30","event":"TRM Labs reports that North Korean hackers — including TraderTraitor — account for 76% of all crypto hack losses in the first four months of 2026, with $577 million stolen across two major attacks (KelpDAO and Drift Protocol).","source":"TRM Labs / The Block","source_url":"https://www.theblock.co/post/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4babb6d3-9a10-4e81-b45c-513ab3c079c9copy