On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.
The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.
Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.
“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn’t go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.
North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.
Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.
TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.
“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group [TraderTraitor] is one of the most sophisticated groups within that echelon,” she says.
TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”
Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”
