CISA Cybersecurity Alerts 4.18.22
Ep 11 | 4.18.22

CISA Alert AA22-108A – TraderTraitor: North Korean state-sponsored APT targets blockchain companies.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Zero Eight Alpha.


​​Original release date: April Eighteenth, twenty twenty two.


This joint Cybersecurity Advisory highlights the threat associated with cryptocurrency theft and tactics used by a North Korean state-sponsored APT since at least 2020. This group is tracked by the cybersecurity industry as Lazarus Group, APT38, and Stardust Chollima.


The US government has observed the North Korean cyber actors targeting organizations in the blockchain technology and crypto industry, including exchanges, decentralized finance protocols, play-to-earn crypto video games, trading companies, venture capital funds investing in crypto, and individual holders of large amounts of crypto or NFTs. The activity described in this advisory involves social engineering to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.


Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies working in system admin or DevOps roles. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the US government refers to as "TraderTraitor."


“TraderTraitor” is a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications claim to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications. The alert documentation linked in the show notes includes figures and screenshots of this website and malicious code functions.

The alert documentation also provides further information on the threat actor TTPs and indicators of compromise for stakeholders in the blockchain technology and crypto industry. The North Korean cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive intellectual property, and gain financial assets. The US government recommends all organizations and entities in this industry review and implement the strategies found in the mitigation section of this alert.


All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or


This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.


This has been a CISA Cybersecurity Alert.