TraderTraitor, a DPRK-nexus threat actor known for state-sponsored financial gain to fund North Korea’s nuclear weapons programs and engage in espionage. TraderTraitor primarily targets AWS environments, the cryptocurrency industry, and adjacent financial sectors through supply chain compromise, credential theft, and cloud service abuse.
They are responsible for major crypto heists, including $625 million from the Ronin network in March 2022, $308 million from Bitcoin.DMM.com in May 2024, and $1.5 billion from Bybit in February 2025. The group employs highly targeted social engineering, like LinkedIn spear-phishing, for initial access. Their tactics include establishing and maintaining cloud accounts, impairing defenses by modifying cloud logs, hijacking resources, and executing financial theft.