#TraderTraitor #JumpCloud #NPM #DMM #Bybit #T1082 #T1041 #T1555 #T1071.001 #T1195.002 #T1059.006 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1566.001 #T1059 #T1199 #T1105 #T1553.002 #T1552.004 #T1195.001 #T1078 #T1087.004 #T1580 #T1578.005 #T1588.003 #T1550.004 #T1609

TraderTraitor is presented as a North Korean financially motivated activity cluster focused on stealing cryptocurrency and other digital assets from blockchain and cloud-connected organizations. The excerpt ties the cluster to Lazarus Group, APT38, BlueNoroff, Stardust Chollima, Jade Sleet, TA444, UNC4899, and Slow Pisces, while citing government and industry attribution for major thefts including DMM Bitcoin and Bybit. Its targeting includes cryptocurrency exchanges, DeFi platforms, crypto startups, venture funds, developers, and software or cloud service providers that can provide access to downstream crypto customers. The tradecraft includes recruiter lures over LinkedIn, Slack, and Telegram; fake coding challenges and GitHub collaborations; trojanized Electron and JavaScript trading apps; malicious npm dependencies; compromised code-signing; encrypted C2-delivered second stages such as MANUSCRYPT; and cloud supply-chain abuse such as the JumpCloud compromise. The activity matters because it blends state-sponsored intrusion methods with rapid monetization, moving from social engineering or supply-chain access toward wallet, transaction, and infrastructure compromise.