TraderTraitor
A North Korea-linked threat cluster (part of the Lazarus umbrella) that the FBI blames for several of the largest exchange thefts, including Bybit ($1.5B), DMM Bitcoin ($305M), and the Ronin/Axie bridge. It favors social-engineering of employees and supply-chain compromises.
Also known as: TraderTraitor, Jade Sleet, UNC4899, Slow Pisces
On attribution: TraderTraitor is a North Korea-linked cluster within the broader Lazarus/RGB umbrella. Attributions are those of the cited authorities (FBI and partner agencies).
Overview
TraderTraitor is the name U.S. agencies use for a North Korea-linked cyber actor (overlapping with the Lazarus umbrella; also tracked by industry as Jade Sleet, UNC4899, and Slow Pisces). It specializes in high-value cryptocurrency theft via targeted social engineering — often impersonating recruiters or business contacts to compromise employees — and via software supply-chain attacks. The name originally referred to a 2022 campaign pushing trojanized crypto trading apps. [1][2]
Tactics
The group frequently contacts employees of crypto firms (developers, operations, finance) with fake job offers, "coding tests," or partnership pitches, then delivers malware or harvests credentials/session tokens. It has also poisoned software dependencies (e.g. npm packages) to reach downstream targets. A recurring hallmark is targeting several employees of the same company at once. [1][2]
Notable incidents
- Bybit (Feb 2025, ~$1.5B) — the largest crypto heist on record; the actor compromised the Safe{Wallet} signing interface so signers approved a malicious transaction. [1]
- DMM Bitcoin (May 2024, ~$305M) — compromised an employee at wallet vendor Ginco via a fake "pre-employment test," then manipulated a legitimate transaction. [2]
- Ronin / Axie Infinity bridge (2022, ~$625M) — the cluster is also linked to this theft, which began with a fake job lure to a Sky Mavis engineer.
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- Bybit hackAttributed actorExchanges & platformsThe largest crypto theft on record: about $1.5B in Ether was stolen from the Bybit exchange on February 21, 2025. The FBI attributed it to North Korea (TraderTraitor/Lazarus), which compromised the Safe{Wallet} signing interface to redirect a routine cold-wallet transfer.
- DMM Bitcoin hackAttributed actorExchanges & platformsAbout $305M (4,502.9 BTC) was stolen from the Japanese exchange DMM Bitcoin in May 2024. The FBI, DC3, and Japan's NPA attributed it to North Korea's TraderTraitor, which used a fake-recruiter lure to compromise an employee at wallet vendor Ginco. DMM later wound down.
Sources (2)
See also
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Ledger Connect Kit hackProjects
This page was last updated on Jun 8, 2026. View revision history.