SEAL Releases Advisory on DPRK Threat to Crypto Exchanges

Less than 12 hours ago, DPRK operatives stole over US$1.5 billion in Ethereum from Bybit. This is an order of magnitude larger than their previous theft of over US$70 million from Phemex earlier this year, and equivalent to the cumulative amount stolen by DPRK throughout all of 2024.

Although the forensics investigation is not yet complete, SEAL and our partners have been actively assisting the Bybit team and we have strong reason to believe that TraderTraitor was responsible for this theft. TraderTraitor has compromised countless crypto exchanges in recent years and employs specific and recognizable tactics, techniques, and procedures (TTPs). Recently, SEAL has been assisting the FBI in notifying potential victims of TraderTraitor before they’re victimized, and today we are making public the advice that we’ve given to crypto exchanges when we suspect that they are at elevated risk of compromise by TraderTraitor. We hope that other crypto exchanges can use this advice to better protect themselves against the DPRK threat.

Methodology
TraderTraitor employs sophisticated social engineering techniques in order to establish an initial foothold. One common tactic is to create a fake recruiter persona and to reach out to employees via LinkedIn. More recently, TraderTraitor may also reach out over other platforms such as Telegram or Twitter.

Once connected, TraderTraitor will work to establish trust before deploying malware on the target’s machine. This can come in the form of a technical interview, where the target is instructed to clone a git repository and to install the dependencies and/or run the project, or in the form of a malicious attachment sent by a seemingly trustworthy source disguised as a PDF or other benign file.

From here, TraderTraitor will spend anywhere from days to months performing reconnaissance within internal systems in order to identify where private keys or other high value secrets are held, as well as who the high value targets are. TraderTraitor may also deploy additional malware, such as malicious Chrome extensions used to modify the contents of trusted websites.

Recommendations
SEAL recommends that all crypto exchanges perform the following steps as soon as possible:

• Conduct an internal review of all employees with production/IT access and determine if any have had contact with potential personas
• Review EDR systems to ensure that no anomalous activities have taken place
• Review devices/browsers to ensure that no unrecognized software/extensions have been installed

SEAL also recommends that all crypto exchanges which use on-chain multisigs adopt the following security measures:

• Use an isolated device (such as a Chromebook) for signing transactions
• Ensure the device is kept up-to-date and do not use the device for anything else
• Factory reset the device periodically (every 3-6 months)
• Ensure that signers are reviewing the transaction details on the hardware wallet, not just the browser. Tools such as this may help
• Conduct regular red team exercises to test signer preparedness towards malicious transactions, such as by inserting test transactions with unexpected parameters into the signing queue

For further questions, please contact [email protected]. If you believe you may be compromised by the DPRK, please message https://t.me/seal_911_bot.