We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Threats

TraderTraitor: the crypto hacking attack that shocked the industry 

TraderTraitor is a cyber attack targeting cryptocurrencies. Learn the hackers' modus operandi and how to protect yourself from the threats

Tradertraitor's effects on the crypto sector

1 April 2025

Table of contents

  • Who is behind TraderTraitor? 
  • How does the Tradertraitor attack work? 
  • The impact of TraderTraitor on the crypto industry 
  • How to protect yourself from attacks like TraderTraitor 
  • Final thoughts: cyber security is an ongoing effort 

In recent years, the world of cryptocurrencies has been shaken by increasingly sophisticated cyber attacks. One of the most notorious is TraderTraitor, a cyber espionage campaign orchestrated by the Lazarus Group, a collective of hackers linked to North Korea.

This attack targeted numerous blockchain companies, exploiting advanced social engineering techniques to infiltrate victims’ systems and steal sensitive data and digital assets. 

In this article, we will analyze in detail how TraderTraitor works, who is behind it, and the best security measures to avoid falling victim to similar threats. 

Who is behind TraderTraitor? 

TraderTraitor has been attributed to the Lazarus Group, a cybercriminal organization that has been active for over a decade.

According to official sources, including the FBI and the Cyber Security and Infrastructure Security Agency (CISA) in the United States, this group operates under the control of the North Korean government and uses cyber attacks to finance clandestine operations, including the country’s nuclear program. 

Lazarus is no stranger to such operations. In the past, it has been responsible for major attacks such as the 2014 Sony Pictures hack, the $81 million theft from the Bank of Bangladesh in 2016, and numerous cryptocurrency exchange breaches, including the Ronin Network heist, which resulted in the theft of over $600 million in digital assets.  

Recently in March 2025, the attack on the Bybit exchange was reported for a loot of 1.5 billion dollars. 

How does the Tradertraitor attack work? 

The TraderTraitor attack relies on a combination of social engineering, advanced malware, and targeted phishing. The hackers focus on blockchain developers, crypto traders, and employees of fintech companies, tricking them into downloading malicious software or unintentionally providing sensitive information. 

The first step is usually an approach through social media, particularly LinkedIn and Twitter. The cybercriminals pose as recruiters from major tech companies, offering attractive job opportunities.

Once they establish trust, they send documents or executable files containing malware designed to take control of the victim’s device. 

Once the system is infected, hackers can: 

  • Steal login credentials for cryptocurrency exchange;
  • Access private keys from digital wallets;
  • Alter smart contracts and transactions to siphon funds;
  • Install backdoors for future access.

One of the most dangerous aspects of TraderTraitor is that victims often do not immediately realize their system has been compromised.

The malware can remain dormant for weeks, allowing hackers to monitor transactions and strike at the most opportune moment. 

The impact of TraderTraitor on the crypto industry 

TraderTraitor has had a devastating impact on the cryptocurrency sector. Several companies suffered multi-million dollar losses, and investors saw their funds vanish without a trace. 

One of the most significant effects has been the increase in regulations. Financial authorities, including the SEC in the United States and European counterparts, have introduced stricter rules for cryptocurrency trading platforms, enforcing tighter controls on KYC (Know Your Customer) and AML (Anti-Money Laundering) compliance. 

Additionally, the blockchain community has had to accelerate the development of cyber security tools. More secure hardware wallets, multi-factor authentication systems, and new transaction monitoring solutions have been introduced to prevent future attacks. 

Protect against attacks such as TraderTraitor

How to protect yourself from attacks like TraderTraitor 

Protecting yourself from cyber threats like TraderTraitor requires a multi-layered security approach. These attacks leverage social engineering, malware, and phishing to infiltrate systems and steal cryptocurrency assets.

Below, we’ll go beyond basic security measures by providing detailed explanations, real-world examples, and code snippets to help strengthen your defenses. 

1. Beware of unsolicited job offers 

One of the primary attack vectors used by TraderTraitor is fake job offers, especially through LinkedIn, Twitter, and email.

Attackers impersonate recruiters from legitimate tech and crypto companies to lure victims into downloading malicious software or sharing sensitive information

Example of a phishing email 

Here is an example of a phishing email used to distribute malw

plaintext 

From: careers@fake-company.com   

Subject: Exciting Job Opportunity at CryptoTech Ltd!   

Dear [Your Name],   

We are impressed by your experience in blockchain development and would love to invite you to apply for a senior developer position at CryptoTech Ltd.   

Please find the job description attached. Kindly review it and let us know a convenient time for an interview.   

Best Regards,   

Sarah Johnson   

HR Manager, CryptoTech Ltd   

Attachment: Job_Offer.pdf.exe

How to spot phishing attempts 

  • Check the sender’s email domain
    Many phishing emails use domains that look similar to real ones (e.g., @crypt0tech.com instead of @cryptotech.com). 
  • Avoid opening suspicious attachments
    Malware is often embedded in .zip, .pdf.exe, or .docm files. 
  • Verify job offers via official channels
    If you receive an offer, cross-check it on the company’s official website or call their HR department. 

2. Use updated security software 

Antivirus software, firewalls, and malware detection tools can prevent Trojan horses, keyloggers, and Remote Access Trojans (RATs) from infiltrating your system. 

Example: using ClamAV to scan for Malware (Linux & macOS) 

ClamAV is an open-source antivirus scanner that detects malware on your system. You can install and use it as follows: 

bash 

# Install ClamAV on Ubuntu 

sudo apt update && sudo apt install clamav -y 

# Update virus definitions 

sudo freshclam 

# Scan your home directory for malware 

clamscan -r /home/user/

For Windows users, software like Windows Defender, Malwarebytes, or Bitdefender offers robust protection. 

3. Enable Two-Factor Authentication (2FA) 

Even if your credentials are stolen, 2FA adds an extra layer of protection, requiring a secondary code from an authentication app or hardware key. 

Example: enabling 2FA for a crypto wallet (Python Code) 

You can use TOTP (Time-based One-Time Password) to authenticate your logins with Google Authenticator or Authy. 

python 

import pyotp 

# Generate a new secret key 

secret = pyotp.random_base32() 

print(f"Secret key: {secret}") 

# Generate a TOTP instance 

totp = pyotp.TOTP(secret) 

# Generate a one-time password (OTP) 

otp = totp.now() 

print(f"Your one-time password: {otp}") 

# Verify the OTP (User enters it) 

user_otp = input("Enter the OTP: ") 

if totp.verify(user_otp): 

    print("OTP is valid! Access granted.") 

else: 

    print("Invalid OTP. Access denied.")

4. Store cryptocurrencies in cold wallets 

Cold wallets (offline storage devices) are the safest way to store crypto assets because they are immune to online hacking attempts

Example: using Python to generate a cold wallet address 

Below is a simple Python script using the bitcoinlib library to create a Bitcoin cold wallet address

python 

from bitcoinlib.wallets import Wallet 

# Create a new cold wallet 

wallet = Wallet.create('ColdStorageWallet', keys='random', network='bitcoin', witness_type='segwit') 

# Display the first address 

address = wallet.get_key().address 

print(f"Your cold wallet address: {address}") 

# Backup wallet keys (Save these securely!) 

print(f"Wallet keys: {wallet.keys_info()}")

Cold storage options: 

  • Hardware wallets (e.g., Ledger, Trezor);
  • Paper wallets (Generated and stored offline);
  • Air-gapped computers (Never connected to the internet).

Never store large amounts of crypto on exchanges, as they are frequent targets for attacks. 

5. Monitor transactions for suspicious activity 

Regularly monitoring your wallet transactions can help detect unauthorized movements before it’s too late. 

Example: using Web3.py to monitor an Ethereum wallet 

This Python script checks the latest transactions from an Ethereum address using Web3: 

python 

from web3 import Web3 

# Connect to an Ethereum node (Infura or Alchemy) 

infura_url = "https://mainnet.infura.io/v3/YOUR_INFURA_PROJECT_ID" 

w3 = Web3(Web3.HTTPProvider(infura_url)) 

# Wallet address to monitor 

wallet_address = "0xYourEthereumAddress" 

# Fetch the latest block and check transactions 

latest_block = w3.eth.get_block('latest', full_transactions=True) 

for tx in latest_block.transactions: 

    if tx['to'] and tx['to'].lower() == wallet_address.lower(): 

        print(f"Incoming transaction detected: {tx}")

You can also set up email or SMS alerts using services like Etherscan API to notify you of suspicious transactions. 

Final thoughts: cyber security is an ongoing effort 

Protecting yourself from TraderTraitor attacks requires a combination of vigilance, security best practices, and technological safeguards. The key takeaways include: 

  • Avoid phishing scams by verifying recruiters and links;
  • Use strong security tools like ClamAV, Windows Defender, and anti-malware software;
  • Enable 2FA using Google Authenticator or TOTP-based authentication;
  • Store your crypto in cold wallets instead of leaving funds on exchanges;
  • Regularly monitor transactions for unusual activity. 

By implementing these strategies, you can significantly reduce the risk of falling victim to sophisticated cyber threats like TraderTraitor. Stay informed, proactive, and secure in the evolving world of cryptocurrency security.  

To conclude

TraderTraitor is one of the most sophisticated attacks ever recorded in the cryptocurrency industry. The methods used by the Lazarus Group demonstrate how targeted phishing and advanced malware can cripple even the most well-prepared companies. 

Although authorities are increasing oversight and companies are developing new cyber security solutions, the most effective protection remains user awareness.

Being cautious of suspicious communications, adopting advanced security measures, and securely storing digital assets are essential steps to defend against similar attacks. 

Questions and answers

  1. What is a Tradertraitor? 
    TraderTraitor is a cyber attack that targeted blockchain and cryptocurrency companies using phishing and advanced malware. 
  2. Who is behind TraderTraitor? 
    The attack has been attributed to the Lazarus Group, a collective of hackers linked to the North Korean government. 
  3. How does a TraderTraitor attack happen? 
    Hackers pose as recruiters, sending infected files to install malware and steal credentials. 
  4. What are the most severe TraderTraitor-related attacks? 
    One of the most notable was the theft of over $600 million from Ronin Network. 
  5. How can I protect myself from a similar attack? 
    By using 2FA, avoiding suspicious job offers, and storing cryptocurrencies in cold wallets. 
  6. Which exchanges have been targeted by TraderTraitor? 
    Exchanges like KuCoin, Coincheck, and Ronin Network have been affected by similar attacks. 
  7. Why does North Korea use cybercrime?
    Cyber attacks help fund secret operations, including the country’s nuclear program. 
  8. What are authorities doing to counter TraderTraitor? 
    The FBI and other agencies are collaborating with crypto companies to strengthen industry security. 
  9. Are hardware wallets safe against TraderTraitor? 
    Yes, hardware wallets significantly reduce the risk of theft compared to online exchanges. 
  10. Are there warning signs of a TraderTraitor attack? 
    Unsolicited job offers, suspicious files, and requests for sensitive data are indicators of potential phishing. 
4
To top