Skip to main content
Mallory
Back to threat actors
North Korea🇰🇵 KP27 malware families

TraderTraitor

Also known asjade sleetslow_piscesTraderTraitorUNC4899

TraderTraitor is a North Korea-linked, state-backed threat actor tracked as UNC4899 and also referred to in the provided content as Jade Sleet, Slow Pisces, and a subgroup or subset of the Lazarus Group. The actor is repeatedly associated with cryptocurrency and DeFi theft, laundering, and intrusion activity targeting exchanges, bridges, wallet infrastructure, blockchain service providers, and related cloud and Kubernetes environments. In the provided reporting, TraderTraitor is attributed with high confidence by LayerZero, Mandiant, and CrowdStrike to the April 2026 KelpDAO / LayerZero rsETH bridge exploit, in which approximately $292 million was stolen after compromise of infrastructure involved in cross-chain message verification. Reported tradecraft included social engineering of a developer, use of malware on macOS, theft of session keys, access to RPC infrastructure, poisoning of internal op-geth / RPC nodes, DDoS against external RPC providers to force failover, and causing a verifier to sign a forged message. The actor then used stolen rsETH as collateral on Aave to borrow real assets, and laundered proceeds through THORChain, Wasabi, Tornado Cash, and Umbra. The content also states that TraderTraitor was tied to the February 2025 Bybit Safe{Wallet} theft of roughly $1.5 billion in Ethereum, and references links to other cryptocurrency theft activity including BTCTurk and a parallel Drift-related context, though one source notes Drift may have involved a distinct North Korean group. The content describes TraderTraitor using patient social engineering and phishing, including approaches to employees via LinkedIn and Telegram, as well as malware-laced repositories or archives disguised as open-source collaboration. Reported post-compromise behavior includes harvesting cloud or session tokens, pivoting into cloud environments, reconnaissance of Kubernetes clusters, theft of high-privilege CI/CD service account tokens, lateral movement, persistence, compromise of systems containing customer information and credentials, and theft of digital assets. The FBI reporting in the content specifically identifies TraderTraitor as a North Korean actor and urges exchanges, bridges, RPC node operators, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions involving Ethereum addresses used by the group to launder stolen assets. Known aliases in the provided content: UNC4899, Jade Sleet, Slow Pisces, and TraderTraitor. The content also places the actor within or under the broader Lazarus Group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Financial Services

Where they're from

Attributed origin per open-source reporting.

  • KP
MITRE ATT&CK

Tradecraft

57 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics70 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1583.003
Virtual Private Server
T1584×5
Compromise Infrastructure
T1586
Compromise Accounts
T1588
Obtain Capabilities
T1588.001
Malware
TA0001
Initial Access
5 techniques
T1078×6
Valid Accounts
T1133
External Remote Services
T1195×2
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1199×5
Trusted Relationship
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.003×2
Spearphishing via Service
TA0002
Execution
4 techniques
T1059
Command and Scripting Interpreter
T1059.007
JavaScript
T1204×2
User Execution
T1204.002
Malicious File
T1574
Hijack Execution Flow
T1651
Cloud Administration Command
TA0003
Persistence
4 techniques
T1078×6
Valid Accounts
T1133
External Remote Services
T1505
Server Software Component
T1556
Modify Authentication Process
TA0004
Privilege Escalation
2 techniques
T1068×2
Exploitation for Privilege Escalation
T1078×6
Valid Accounts
TA0005
Stealth
8 techniques
T1027×2
Obfuscated Files or Information
T1036
Masquerading
T1070×5
Indicator Removal
T1070.004
File Deletion
T1070.009
Clear Persistence
T1078×6
Valid Accounts
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1574
Hijack Execution Flow
T1612
Build Image on Host
T1622
Debugger Evasion
TA0112
Defense Impairment
1 technique
T1556
Modify Authentication Process
TA0006
Credential Access
6 techniques
T1528
Steal Application Access Token
T1552
Unsecured Credentials
T1556
Modify Authentication Process
T1557
Adversary-in-the-Middle
T1606×2
Forge Web Credentials
T1649×3
Steal or Forge Authentication Certificates
TA0007
Discovery
4 techniques
T1082
System Information Discovery
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1526
Cloud Service Discovery
T1622
Debugger Evasion
TA0008
Lateral Movement
1 technique
T1210
Exploitation of Remote Services
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
TA0011
Command and Control
8 techniques
T1008
Fallback Channels
T1071
Application Layer Protocol
T1090×4
Proxy
T1090.003×2
Multi-hop Proxy
T1102
Web Service
T1102.001
Dead Drop Resolver
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
T1571
Non-Standard Port
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
TA0040
Impact
5 techniques
T1496×2
Resource Hijacking
T1498×4
Network Denial of Service
T1499×6
Endpoint Denial of Service
T1565×6
Data Manipulation
T1657
Financial Theft
ARSENAL

Associated malware families

27 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BeaverTailThe campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.2May 1, 2026
FudModuleThe 2022 introduction of Fudmodule advanced capabilities through direct kernel manipulation and zero-day exploitation in vulnerable drivers, Chrome, and Windows.2Mar 8, 2026
OtterCookieThe campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.2May 1, 2026
RN LoaderThese challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.2Mar 18, 2026
RN StealerThese challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.2Mar 18, 2026

22 additional families tracked in Mallory.

IOCS

Observables

79 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

79 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
thedefiantNews
Jun 1, 2026
Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window - "The Defiant"

Attributed as the DPRK-linked actor behind the April Kelp DAO/LayerZero bridge exploit and tied to a parallel major crypto heist; the group laundered stolen funds through THORChain, Wasabi, Tornado Cash, and Umbra.

Read more
thedefiantNews
May 20, 2026
LayerZero's Incident Report Says Kelp Downgraded From 2-of-2 to 1-of-1 DVN Before $292M Exploit - "The Defiant"

Attributed with high confidence to the six-week compromise and exploit of the KelpDAO rsETH bridge, involving social engineering of a developer, malware deployment on macOS, theft of session keys, access to LayerZero RPC infrastructure, malicious modification of op-geth on Kubernetes clusters, and forged bridge attestations that enabled release of approximately $292M in rsETH.

Read more
lazarusholic blueskyNews
May 20, 2026
Post by @lazarusholic.bsky.social - Bluesky

Referenced in connection with the LayerZero Labs KelpDAO incident report.

Read more
dark readingNews
May 1, 2026
76% of All Crypto Stolen in 2026 Is Now in North Korea

North Korean threat group conducting major cryptocurrency theft operations against crypto exchanges and DeFi infrastructure, including the ByBit and Kelp incidents.

Read more
+195 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping57

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal27

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables79

Domains, IPs, and hashes tied to this actor, refreshed continuously.