Profiling TradeTraitor: Tactics, History & Defenses
This post is part of our ongoing series on cloud-focused threat actors, designed to increase visibility and awareness of their methods, bolster your defenses, and help close the gap between traditional cyber threat intelligence (CTI) and cloud security. Each installment will spotlight some well-known and lesser-known adversaries in the cloud, providing a concise profile, mapped TTPs, and an incident response checklist.
Summary
- Threat Actor: TradeTraitor (DPRK-nexus), a.k.a. Jade Sleet, UNC4899, Slow Pisces.
- Motivation: State-affiliated seeking financial gain.
- Targeting: AWS environments, cryptocurrency industry, and adjacent financial sectors.
- Attack Types: Supply chain compromise, credential theft, cloud service abuse, etc.
- Defenses: Enable AWS logging, enforce MFA and least-privilege IAM, secure endpoints & monitor network traffic, harden AWS services, rotate credentials, etc.
Overview
TradeTraitor is a DPRK-nexus threat actor assessed to be affiliated with North Korea’s Reconnaissance General Bureau. Primarily driven by state-sponsored revenue generation to evade sanctions and fund the regime’s nuclear weapons programs, they’ve executed some of the largest crypto heists on record: $625 million from the Ronin network hack (March 2022), $308 million from Bitcoin.DMM.com (May 2024), and $1.5 billion from Bybit (February 2025). However, there are also reports of secondary motivations against the defense industrial base for espionage purposes.
Emerging from the remnants of APT38 (the group behind the 2016 Bangladesh Bank heist), TradeTraitor has honed a toolkit of social engineering, cloud-service abuse, and supply-chain compromise. They favor highly targeted compromises, often via LinkedIn spearphishing or third-party compromises to harvest access and then leverage those into large-scale cryptocurrency withdrawals or unauthorized smart-contract upgrades.
In early 2022, TradeTraitor conducted a highly targeted LinkedIn spear-phishing campaign against an employee, posing as a recruiter offering a lucrative engineering role. An engineer downloaded a malicious job offer PDF onto their workstation, unknowingly installing malware that gave the threat actor access to the Ronin bridge network (a network used in creating games on a blockchain). Over the next few hours, they altered four key network nodes and a governance node to approve fraudulent withdrawals of roughly $625 million in ETH and USDC.
In March 2024, the threat actor posed as a recruiter on LinkedIn to trick a developer into hosting a malicious Python test script, which then allowed at a later stage to steal session cookies, and ultimately transfer 4,502.9 BTC into attacker-controlled wallets.
Most recently, in February 2025, TradeTraitor first compromised a developer’s macOS workstation, likely via social engineering, and immediately harvested the developer’s AWS session token. They conducted reconnaissance within the AWS environment (including an attempted MFA registration). Ultimately, they injected malicious JavaScript into the S3-hosted Next.js frontend, programmed to trigger only on a specific cryptocurrency cold-wallet, which rerouted approximately 400,000 ETH to actor-controlled addresses.
TTPs
All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

Incident Response Steps
Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):
- Credential Abuse from Developer Environments: Identify and respond to stolen keys and session abuse.
- Investigate:
- Analyze CloudTrail Logs for first-time access key usage from new IPs or geolocations.
- Correlate IAM Access Analyzer Logs with GuardDuty Findings for anomalous developer device logins or behavior.
- Check AWS Config Logs for unauthorized role assumptions.
- Harden:
- Enforce short-lived tokens via IAM Temporary Credentials.
- Mandate role-based access with IAM Roles.
- Enable MFA for IAM Users.
- Rotate compromised keys immediately.
- IAM Persistence Attempts: Catch stealthy identity manipulation for persistence.
- Investigate:
- Monitor CloudTrail Logs for new IAM users, keys, or MFA enrollments.
- Review AWS Config Logs for policy attachments outside CI/CD workflows and GuardDuty Logs for failed virtual MFA registration attempts.
- Harden:
- Alert on unauthorized IAM changes via CloudWatch Alarms.
- Enforce least-privilege policies.
- Require approval for new IAM configurations outside automated pipelines.
- Log Evasion and Deletion: Ensure deleted or modified logs don’t hinder investigations.
- Investigate:
- Validate CloudTrail Logs and AWS Config Logs integrity across all regions using CloudTrail Digest Files.
- Check S3 Access Logs for DeleteObject actions in sensitive buckets and GuardDuty Findings for log tampering attempts.
- Harden:
- Enable S3 Object Lock on critical buckets.
- Enforce CloudTrail Multi-Region Logging.
- Configure CloudWatch Alarms for unauthorized log deletions.

For additional security considerations and detection queries, see Elastic’s “Bit ByBit - emulation of the DPRK's largest cryptocurrency heist” and Sygnia’s “Bybit – What We Know So Far”.
Next Steps & Getting Help
If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your AWS defenses, refine your IR runbook, and stay ahead of TradeTraitor or other cloud-focused adversaries.
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7