TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
2022-04-18 • USCISA •
FBI, CISA, and Treasury warned that North Korean actors tracked as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima were targeting blockchain and cryptocurrency organizations to steal digital assets. The TraderTraitor campaigns used recruitment-themed spearphishing and other social engineering to induce employees at exchanges, DeFi projects, play-to-earn games, trading firms, venture funds, and high-value holders to install trojanized cryptocurrency applications on Windows or macOS. Those Electron/Node.js applications contacted project-domain update endpoints such as /oath/checkupdate.php, decrypted server responses with AES, wrote payloads to temporary directories, and executed Manuscrypt/COPPERHEDGE variants capable of system reconnaissance, command execution, and additional payload retrieval. The advisory highlights private-key theft and fraudulent blockchain transactions as the intended impact and provides TTPs and IOCs for cryptocurrency-sector defenders.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9ba02f8a985ec1a99ab7b78fa678f26… | 2022-04-18 | 2026-04-03 |
| HASH | dced1acbbe11db2b9e7ae44a617f3c1… | 2022-04-18 | 2026-04-03 |
| IPv4 | 62.84.240.140 | 2022-04-18 | 2025-12-31 |
| IPv4 | 185.66.41.17 | 2022-04-18 | 2025-12-31 |
| HASH | 9a6307362e3331459d350a201ad66cd9 | 2022-04-18 | 2022-04-18 |
| HASH | 3f2c1e60b5fac4cf1013e3e1fc688be… | 2022-04-18 | 2022-04-18 |
| HASH | e3d98cc4539068ce335f1240deb1d72… | 2022-04-18 | 2022-04-18 |
| HASH | 1ca31319721740ecb79f4b9ee74cd9b0 | 2022-04-18 | 2022-04-18 |
| HASH | 8acd7c2708eb1119ba64699fd702ebd… | 2022-04-18 | 2022-04-18 |
| HASH | 48a6d5141e25b6c63ad8da20b954b56… | 2022-04-18 | 2022-04-18 |
| HASH | 765a79d22330098884e0f7ce692d61c… | 2022-04-18 | 2022-04-18 |
| HASH | b2d9ca7b6d1bbbe4864ea11dfca343b… | 2022-04-18 | 2022-04-18 |
| HASH | f3263451f8988a9b02268f0fb6893f7… | 2022-04-18 | 2022-04-18 |
| HASH | ff17bd5abe9f4939918f27afbe0072c… | 2022-04-18 | 2022-04-18 |
| HASH | 9d9dda39af17a37d92b429b68f4a8fc… | 2022-04-18 | 2022-04-18 |
| HASH | d5ff73c043f3bb75dd749636307500b… | 2022-04-18 | 2022-04-18 |
| HASH | 8e67006585e49f51db96604487138e6… | 2022-04-18 | 2022-04-18 |
| HASH | 8397ea747d2ab50da4f876a36d673272 | 2022-04-18 | 2022-04-18 |
| HASH | 930f6f729e5c4d5fb52189338e549e5e | 2022-04-18 | 2022-04-18 |
| HASH | 1c7d0ae1c4d2c0b70f75eab856327956 | 2022-04-18 | 2022-04-18 |
| HASH | ae9f4e39c576555faadee136c6c3b2d… | 2022-04-18 | 2022-04-18 |
| HASH | 9578c2be6437dcc8517e78a5de1fa975 | 2022-04-18 | 2022-04-18 |
| HASH | 867c8b49d29ae1f6e4a7cd31b6fe7e2… | 2022-04-18 | 2022-04-18 |
| HASH | 60b3cfe2ec3100caf4afde734cfd514… | 2022-04-18 | 2022-04-18 |
| HASH | 855b2f4c910602f895ee3c94118e979a | 2022-04-18 | 2022-04-18 |
| HASH | 5b40b73934c1583144f41d8463e2275… | 2022-04-18 | 2022-04-18 |
| HASH | f1606d4d374d7e2ba756bdd4df9b780… | 2022-04-18 | 2022-04-18 |
| HASH | 41f855b54bf3db621b340b7c59722fb… | 2022-04-18 | 2022-04-18 |
| HASH | d2a77c31c3e169bec655068e96cf4e7… | 2022-04-18 | 2022-04-18 |
| HASH | 5d43baf1c9e9e3a939e5defd8f8fbd8d | 2022-04-18 | 2022-04-18 |
| HASH | c2ea5011a91cd59d0396eb4fa8da7d21 | 2022-04-18 | 2022-04-18 |
| HASH | f0e8c29e3349d030a97f4a8673387c2… | 2022-04-18 | 2022-04-18 |
| HASH | 4e5ebbecd22c939f0edf1d16d68e8490 | 2022-04-18 | 2022-04-18 |
| HASH | 89b5e248c222ebf2cb3b525d3650259… | 2022-04-18 | 2022-04-18 |
| HASH | 53d9af8829a9c7f6f177178885901c01 | 2022-04-18 | 2022-04-18 |
| URL | https://aideck.net/board.php | 2022-04-18 | 2022-04-18 |
| URL | https://greenvideo.nl/wp-conten… | 2022-04-18 | 2022-04-18 |
| URL | https://infodigitalnew.com/wp-c… | 2022-04-18 | 2022-04-18 |
| URL | https://haciendadeclarevot.com/… | 2022-04-18 | 2022-04-18 |
| URL | https://dafnefonseca.com/wp-con… | 2022-04-18 | 2022-04-18 |
| URL | https://www.vinoymas.ch/wp-cont… | 2022-04-18 | 2022-04-18 |
| URL | https://sche-eg.org/plugins/top… | 2022-04-18 | 2022-04-18 |
| URL | https://www.alticgo.com/update/ | 2022-04-18 | 2022-04-18 |
| URL | https://www.esilet.com/update/ | 2022-04-18 | 2022-04-18 |
| DOMAIN | sche-eg.org | 2022-04-18 | 2022-04-18 |
| DOMAIN | infodigitalnew.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | haciendadeclarevot.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | tokenais.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | greenvideo.nl | 2022-04-18 | 2022-04-18 |
| DOMAIN | aideck.net | 2022-04-18 | 2022-04-18 |
| DOMAIN | esilet.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | alticgo.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | creaideck.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | dafnefonseca.com | 2022-04-18 | 2022-04-18 |
| DOMAIN | dafom.dev | 2022-04-18 | 2022-04-18 |
| DOMAIN | cryptais.com | 2022-04-18 | 2022-04-18 |
| IPv4 | 104.168.98.156 | 2022-04-18 | 2022-04-18 |
| IPv4 | 107.154.160.132 | 2022-04-18 | 2022-04-18 |
| IPv4 | 89.45.4.151 | 2022-04-18 | 2022-04-18 |
| IPv4 | 160.153.235.20 | 2022-04-18 | 2022-04-18 |
| IPv4 | 38.132.124.161 | 2022-04-18 | 2022-04-18 |
| IPv4 | 108.170.55.202 | 2022-04-18 | 2022-04-18 |
| IPv4 | 82.102.31.14 | 2022-04-18 | 2022-04-18 |
| IPv4 | 151.101.64.119 | 2022-04-18 | 2022-04-18 |
| IPv4 | 46.16.62.238 | 2022-04-18 | 2022-04-18 |
| IPv4 | 45.14.227.58 | 2022-04-18 | 2022-04-18 |
| IPv4 | 199.188.103.115 | 2021-03-23 | 2022-04-18 |
Related Actors
Related Reports
Shares tags: Cryptocurrency, TraderTraitor
2023-08-22 •
60% Match
#APT38
#News
#Cryptocurrency
#TraderTraitor
#Harmony
#AtomicWallet
#AxieInfinity
#Alphapo
#CoinsPaid
Shares tags: Cryptocurrency, TraderTraitor
2023-01-23 •
60% Match
FBI Confirms Lazarus Group, APT38 Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft
USFBI
Shares tags: Cryptocurrency, TraderTraitor
2026-05-29 •
40% Match
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
SOCRadar
Shares tag: TraderTraitor
Shares tag: TraderTraitor
Shares tag: TraderTraitor