Title: SEAL Releases Advisory on DPRK Threat to Crypto Exchanges
Description: Everything you need to know about TraderTraitor, the DPRK hackers responsible for countless crypto exchange thefts
Keywords: No keywords
Text content: SEAL Releases Advisory on DPRK Threat to Crypto ExchangesJoin our communityDiscoverInitiativesDonors & ContributorsNewsSocialFarcasterBlogXContact[email protected]© 2025, Open Security Alliance, 501(c)(3)Back to topsamczsunClockSat, Feb 22, 2025, 12:49 AM UTCSEAL Releases Advisory on DPRK Threat to Crypto ExchangesLess than 12 hours ago, DPRK operatives stole over US$1.5 billion in Ethereum from Bybit. This is an order of magnitude larger than their previous theft of over US$70 million from Phemex earlier this year, and equivalent to the cumulative amount stolen by DPRK throughout all of 2024. Although the forensics investigation is not yet complete, SEAL and our partners have been actively assisting the Bybit team and we have strong reason to believe that TraderTraitor was responsible for this theft. TraderTraitor has compromised countless crypto exchanges in recent years and employs specific and recognizable tactics, techniques, and procedures (TTPs). Recently, SEAL has been assisting the FBI in notifying potential victims of TraderTraitor before they’re victimized, and today we are making public the advice that we’ve given to crypto exchanges when we suspect that they are at elevated risk of compromise by TraderTraitor. We hope that other crypto exchanges can use this advice to better protect themselves against the DPRK threat. Methodology TraderTraitor employs sophisticated social engineering techniques in order to establish an initial foothold. One common tactic is to create a fake recruiter persona and to reach out to employees via LinkedIn. More recently, TraderTraitor may also reach out over other platforms such as Telegram or Twitter. Once connected, TraderTraitor will work to establish trust before deploying malware on the target’s machine. This can come in the form of a technical interview, where the target is instructed to clone a git repository and to install the dependencies and/or run the project, or in the form of a malicious attachment sent by a seemingly trustworthy source disguised as a PDF or other benign file. From here, TraderTraitor will spend anywhere from days to months performing reconnaissance within internal systems in order to identify where private keys or other high value secrets are held, as well as who the high value targets are. TraderTraitor may also deploy additional malware, such as malicious Chrome extensions used to modify the contents of trusted websites. Recommendations SEAL recommends that all crypto exchanges perform the following steps as soon as possible:  Conduct an internal review of all employees with production/IT access and determine if any have had contact with potential personas Review EDR systems to ensure that no anomalous activities have taken place Review devices/browsers to ensure that no unrecognized software/extensions have been installed  SEAL also recommends that all crypto exchanges which use on-chain multisigs adopt the following security measures:  Use an isolated device (such as a Chromebook) for signing transactions Ensure the device is kept up-to-date and do not use the device for anything else Factory reset the device periodically (every 3-6 months) Ensure that signers are reviewing the transaction details on the hardware wallet, not just the browser. Tools such as this may help Conduct regular red team exercises to test signer preparedness towards malicious transactions, such as by inserting test transactions with unexpected parameters into the signing queue  For further questions, please contact [email protected]. If you believe you may be compromised by the DPRK, please message https://t.me/seal_911_bot.CONTINUE READINGsamczsunUpdated Strengthening Crypto's Defense Against DPRKThe United States, Japan, and the Republic of Korea issued a joint statement on cryptocurrency thefts perpetrated by the DPRK and on private-public partnershipsThe Security AllianceUpdated DPRK #OpenToWorkNorth Korean IT workers are particularly attracted to blockchain and cryptocurrency companies for several reasons, including evading international sanctions by avoiding traditional financial systems.The Security AllianceUpdated SEAL Launches a Crypto-Native ISACSince launching SEAL 911, our team has recovered more than $50M from cyber attacks. To expand these efforts, we have built an ISAC tailored to the needs of the crypto industry.