TraderTraitor / UNC4899

2022-04-18

FBI, CISA, and U.S. Treasury issue joint advisory AA22-108A formally naming 'TraderTraitor' as a North Korean state-sponsored APT targeting blockchain companies with trojanized cryptocurrency applications.

2022-03-23

Ronin Network (Axie Infinity) bridge exploited for approximately $620 million in ETH and USDC. FBI later formally attributed the attack to Lazarus Group / APT38 (overlapping with TraderTraitor). Initial access traced to a fake job offer PDF delivered to a Sky Mavis engineer.

2023-06-27

UNC4899 (TraderTraitor) executes supply chain attack against JumpCloud, injecting malicious Ruby script into JumpCloud's command framework via spear phishing of JumpCloud employees. Fewer than five downstream cryptocurrency customers compromised. An OPSEC slip — direct connection from Pyongyang IP block — confirmed attribution.

2024-03-28

TraderTraitor actor posing as LinkedIn recruiter contacts Ginco employee with malicious Python script disguised as a pre-employment coding test, initiating the attack chain that ultimately leads to the $308 million DMM Bitcoin theft.

2024-05-31

DMM Bitcoin (Japan) loses 4,502.9 BTC (~$308 million) after TraderTraitor actors use compromised session cookies to access Ginco's communications system and manipulate a legitimate DMM transaction.

2024-07-18

WazirX (India) loses approximately $234.9 million in digital assets from a multi-signature wallet. A joint statement by the U.S., South Korea, and Japan in January 2025 attributed the attack to North Korean Lazarus Group actors.

2024-12-24

FBI, DC3, and Japan's NPA issue joint attribution statement formally linking TraderTraitor to the $308 million DMM Bitcoin theft. This is the first formal government attribution of a specific TraderTraitor incident to a named currency theft.

2025-02-21

Bybit cold wallet transfer intercepted after TraderTraitor actors compromise a Safe{Wallet} developer machine and inject malicious JavaScript into the Safe{Wallet} AWS S3-hosted frontend. Approximately 400,000 ETH (~$1.5 billion) stolen — the largest cryptocurrency theft in history.

2025-02-26

FBI issues IC3 PSA I-022625-PSA formally attributing the Bybit theft to North Korea's TraderTraitor, listing 51 Ethereum wallet addresses and urging industry to block related transactions.

2025-04-01

Lazarus Group adopts ClickFix social engineering technique to deliver GolangGhost malware to cryptocurrency job seekers, as documented by security researchers. The campaign targets both Windows and macOS users via fake video interview platforms.

2025-12-18

Chainalysis publishes 2025 crypto crime report, attributing $2.02 billion in cryptocurrency theft to North Korean actors — a record high — accounting for approximately 60% of all global crypto theft in 2025. Cumulative DPRK-attributed theft reaches approximately $6.75 billion since 2017.

2026-03-09

Google Threat Intelligence Group (formerly Mandiant) publishes report on UNC4899's breach of an unnamed cryptocurrency firm after a developer AirDropped a trojanized archive to a corporate device. Attackers used living-off-the-cloud techniques to steal several million dollars via Kubernetes and Cloud SQL tampering.

2026-04-18

KelpDAO exploited for approximately $292 million. TRM Labs attributes the attack to TraderTraitor based on pre-funding analysis traceable to known TraderTraitor laundering networks. Approximately $175 million converted to Bitcoin via THORChain.

2026-04-30

TRM Labs reports that North Korean hackers — including TraderTraitor — account for 76% of all crypto hack losses in the first four months of 2026, with $577 million stolen across two major attacks (KelpDAO and Drift Protocol).