Profiling TradeTraitor: Tactics, History & Defenses

June 27, 2025

Profiling TradeTraitor: Tactics, History & Defenses

This post is part of our ongoing series on cloud-focused threat actors, designed to increase visibility and awareness of their methods, bolster your defenses, and help close the gap between traditional cyber threat intelligence (CTI) and cloud security. Each installment will spotlight some well-known and lesser-known adversaries in the cloud, providing a concise profile, mapped TTPs, and an incident response checklist.

Summary

  • Threat Actor: TradeTraitor (DPRK-nexus), a.k.a. Jade Sleet, UNC4899, Slow Pisces.
  • Motivation: State-affiliated seeking financial gain.
  • Targeting: AWS environments, cryptocurrency industry, and adjacent financial sectors.
  • Attack Types: Supply chain compromise, credential theft, cloud service abuse, etc.
  • Defenses: Enable AWS logging, enforce MFA and least-privilege IAM, secure endpoints & monitor network traffic, harden AWS services, rotate credentials, etc.

Overview

TradeTraitor is a DPRK-nexus threat actor assessed to be affiliated with North Korea’s Reconnaissance General Bureau. Primarily driven by state-sponsored revenue generation to evade sanctions and fund the regime’s nuclear weapons programs, they’ve executed some of the largest crypto heists on record: $625 million from the Ronin network hack (March 2022), $308 million from Bitcoin.DMM.com (May 2024), and $1.5 billion from Bybit (February 2025). However, there are also reports of secondary motivations against the defense industrial base for espionage purposes.

Emerging from the remnants of APT38 (the group behind the 2016 Bangladesh Bank heist), TradeTraitor has honed a toolkit of social engineering, cloud-service abuse, and supply-chain compromise. They favor highly targeted compromises, often via LinkedIn spearphishing or third-party compromises to harvest access and then leverage those into large-scale cryptocurrency withdrawals or unauthorized smart-contract upgrades.

In early 2022, TradeTraitor conducted a highly targeted LinkedIn spear-phishing campaign against an employee, posing as a recruiter offering a lucrative engineering role. An engineer downloaded a malicious job offer PDF onto their workstation, unknowingly installing malware that gave the threat actor access to the Ronin bridge network (a network used in creating games on a blockchain). Over the next few hours, they altered four key network nodes and a governance node to approve fraudulent withdrawals of roughly $625 million in ETH and USDC.

In March 2024, the threat actor posed as a recruiter on LinkedIn to trick a developer into hosting a malicious Python test script, which then allowed at a later stage to steal session cookies, and ultimately transfer 4,502.9 BTC into attacker-controlled wallets. 

Most recently, in February 2025, TradeTraitor first compromised a developer’s macOS workstation, likely via social engineering, and immediately harvested the developer’s AWS session token. They conducted reconnaissance within the AWS environment (including an attempted MFA registration). Ultimately, they injected malicious JavaScript into the S3-hosted Next.js frontend, programmed to trigger only on a specific cryptocurrency cold-wallet, which rerouted approximately 400,000 ETH to actor-controlled addresses.

TTPs

All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

Overview of TTPs for TradeTraitor
Cloud Intrusion Table
Tactic ID Technique Procedure (Context)
Resource Development T1586.003 Establish Accounts: Cloud Accounts The threat actor registered the domain getstockprice[.]com via Namecheap, establishing infrastructure for the initial access payload and AWS C2 traffic.
Initial Access T1195.002 Supply Chain Compromise: Compromise Software Supply Chain The threat actor compromised Safe{Wallet}, a third-party wallet provider in Bybit’s supply chain, by injecting malicious JavaScript into its AWS S3 bucket hosting app.safe.global. This manipulated Bybit’s multisig transaction on stealing $1.5 billion in ETH.
Initial Access T1078.004 Valid Accounts: Cloud Accounts The threat actor compromised a Safe{Wallet} developer’s macOS workstation, stealing AWS credentials (likely S3 or CloudFront API keys). These credentials granted access to Safe{Wallet}’s AWS infrastructure enabling reconnaissance and subsequent S3 bucket manipulation.
Persistence T1136.003 Create Account: Cloud Account There is a realistic probability that the threat actor created or modified IAM users/roles in Safe{Wallet}’s AWS environment to maintain access. While not publicly confirmed, the 12-day dwell time and modus operandi suggests IAM manipulation to ensure persistent S3 access. For example, the actor unsuccessfully attempted to register a virtual MFA device indicating an attempt at establishing persistence.
Defense Evasion T1562.008 Impair Defenses: Disable or Modify Cloud Logs The threat actor removed malicious JavaScript from the S3 bucket, minimizing CloudTrail evidence (e.g., DeleteObject events).
Defense Evasion T1578.002 Modify Cloud Compute Infrastructure: Modify Security Groups The threat actor injected malicious JavaScript into Safe{Wallet}’s AWS S3 bucket, targeting Bybit’s Ethereum wallet. The code, hosted in _app-52c9031bfa03da47.js, altered transaction payloads.
Discovery T1526 Cloud Service Discovery The threat actor almost certainly conducted reconnaissance in Safe{Wallet}’s AWS environment after gaining access with stolen credentials. Over a 12-day period, activities likely included the following: understanding the AWS infrastructure, enumerating S3 buckets, IAM roles, or CloudFront distributions to identify the app.safe.global bucket for JavaScript injection.
Impact T1496 Resource Hijacking Safe{Wallet}’s AWS S3 bucket was hijacked to host malicious JavaScript, enabling the theft.
Impact T1657 Financial Theft The incident resulted in a $1.5 billion ETH theft from ByBit.

Incident Response Steps

Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):

  1. Credential Abuse from Developer Environments: Identify and respond to stolen keys and session abuse.
  • Investigate:
    • Analyze CloudTrail Logs for first-time access key usage from new IPs or geolocations.
    • Correlate IAM Access Analyzer Logs with GuardDuty Findings for anomalous developer device logins or behavior.
    • Check AWS Config Logs for unauthorized role assumptions.
  • Harden:
    • Enforce short-lived tokens via IAM Temporary Credentials.
    • Mandate role-based access with IAM Roles.
    • Enable MFA for IAM Users.
    • Rotate compromised keys immediately.
  1. IAM Persistence Attempts: Catch stealthy identity manipulation for persistence.
  • Investigate:
    • Monitor CloudTrail Logs for new IAM users, keys, or MFA enrollments.
    • Review AWS Config Logs for policy attachments outside CI/CD workflows and GuardDuty Logs for failed virtual MFA registration attempts.
  • Harden:
    • Alert on unauthorized IAM changes via CloudWatch Alarms.
    • Enforce least-privilege policies.
    • Require approval for new IAM configurations outside automated pipelines.
  1. Log Evasion and Deletion: Ensure deleted or modified logs don’t hinder investigations.
  • Investigate:
    • Validate CloudTrail Logs and AWS Config Logs integrity across all regions using CloudTrail Digest Files.
    • Check S3 Access Logs for DeleteObject actions in sensitive buckets and GuardDuty Findings for log tampering attempts.
  • Harden:
    • Enable S3 Object Lock on critical buckets.
    • Enforce CloudTrail Multi-Region Logging.
    • Configure CloudWatch Alarms for unauthorized log deletions.
Simple IR Runbook for TradeTraitor

For additional security considerations and detection queries, see Elastic’s “Bit ByBit -  emulation of the DPRK's largest cryptocurrency heist” and Sygnia’s “Bybit – What We Know So Far”.

Next Steps & Getting Help

If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your AWS defenses, refine your IR runbook, and stay ahead of TradeTraitor or other cloud-focused adversaries.

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7