Barnhart says North Korea realized that counting on different folks—resembling cash mules—may make their operations much less efficient. As an alternative, they may steal cryptocurrency. Two teams emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is probably the most refined of all,” he says. “And why? As a result of APT38 was the A workforce.”
Since then, TraderTraitor has been linked to a number of large-scale cryptocurrency thefts lately. As an example, the March 2024 theft of $308 million from Japan-based cryptocurrency firm DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.
TraderTraitor sometimes targets folks working at Web3 corporations utilizing spear-phishing messages—most frequently, folks engaged on software program improvement. “They know the people that work at these corporations, they monitor them, they’ve profiles on them, they know which buying and selling platforms are doing probably the most quantity. They’re centered on that complete business, understanding it backwards and forwards,” says Microsoft’s DeGrippo.
GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created faux accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create faux personas that they use to message their targets or use actual accounts which have been hacked, GitHub’s analysis says. In that occasion, TraderTraitor invited builders to collaborate on GitHub, earlier than in the end infecting them with malware utilizing malicious code. Not too long ago, safety researchers at Palo Alto Networks’ Unit 42 menace intelligence workforce discovered 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.
The group has been seen utilizing “customized backdoors,” resembling PLOTTWIST and TIEDYE, that focus on macOS, says Adrian Hernandez, a senior menace analyst at Google’s Risk Intelligence Group. “These are sometimes closely obfuscated to forestall detection and thwart evaluation,” Hernandez says. “As soon as UNC4899 [TraderTraitor] has gained entry to legitimate credentials, we’ve noticed this menace actor transferring laterally and accessing different accounts to entry hosts and techniques, protecting a low profile and aiming to evade detection.”
As soon as the North Korean hackers have their fingers on cryptocurrency or digital wallets, the cash laundering usually follows the same sample, as cryptocurrency tracing agency Elliptic outlined in a blog post breaking down the Bybit hack. To keep away from having cryptocurrency wallets frozen, they rapidly swap stolen tokens—which are sometimes issued by centralized entities and might have restrictions positioned upon them—for extra mainstream cryptocurrency property like ether and bitcoin which can be more durable to restrict.
“The second step of the laundering course of is to ‘layer’ the stolen funds with a purpose to try to hide the transaction path,” Elliptic writes. This implies splitting the funds into smaller quantities and sending them to a number of wallets. With Bybit, Elliptic writes, cash was despatched to 50 totally different wallets that had been then emptied within the coming days. This cryptocurrency is then moved by means of varied cryptocurrency exchanges, transformed into bitcoin, and handed by means of crypto mixers that intention to obscure crypto transactions.
“North Korea is probably the most refined and well-resourced launderer of crypto property in existence, regularly adapting its strategies to evade identification and seizure of stolen property,” Elliptic says in its blog post.