Home/Threat Actor/Jade Sleet / TraderTraitor / UNC4899 / Pressure Chollima
Threat Actor

Jade Sleet / TraderTraitor / UNC4899 / Pressure Chollima

jade_sleet_tradertraitor · north_korea · active since 2020

Jade Sleet / TraderTraitor / UNC4899 / Pressure Chollima (canonical US Government / FBI / CISA / Treasury naming "TraderTraitor" per April 2022 joint advisory.

Microsoft "Jade Sleet".

Mandiant / Google Threat Intelligence Group "UNC4899".

CrowdStrike "Pressure Chollima".

Proofpoint "TA444".

Palo Alto Networks Unit 42 "Slow Pisces".

industry research "Pukchong") is the Democratic People's Republic of Korea (DPRK) Reconnaissance General Bureau (RGB), likely 3rd Bureau of Foreign Intelligence, financially-motivated cryptocurrency-focused subgroup of the broader Lazarus Group RGB ecosystem with formal US Government attribution per April 2022 FBI + CISA + Treasury joint advisory.

operating publicly since 2020 (TraderTraitor era) with primary operational mission objectives of cryptocurrency theft for DPRK regime nuclear weapons program funding and international sanctions circumvention.

operationally responsible for the largest cryptocurrency thefts in history including ByBit Safe{Wallet} $1.5B+ ETH heist (late 2024 / 2025, largest crypto heist ever at time of writing) via macOS developer workstation compromise + AWS session token theft bypassing MFA + Safe{Wallet} Next.js frontend JavaScript injection for transaction redirect, plus DMM Bitcoin $308M heist May 2024 via Ginco developer compromised through bogus GitHub coding challenge + RN Loader + RN Stealer Python malware for SSH key + session cookie theft + 4,502.9 BTC exfiltration.

signature operational tradecraft of supply- chain compromise targeting cloud service providers (JumpCloud June 22 2023 sophisticated spear-phishing campaign against zero-trust directory platform with downstream cryptocurrency customers compromised via init.rb malicious Ruby script through JumpCloud agent + FULLHOUSE.DOORED + STRATOFEAR backdoors + TIEDYE macOS Mach-O backdoor xpc.protect + macOS keychain targeting)

GitHub + npm package compromise tradecraft (July 2023 GitHub Security Lab disclosure of low-volume social engineering targeting blockchain + cryptocurrency + online gambling + cybersecurity sector employees via fake recruiter personas on GitHub + LinkedIn + Slack + Telegram with high-paying job offer lures and GitHub repository collaboration invites)

trojanized cryptocurrency applications (DAFOM + TokenAIS + CryptAS + AppleJeus) with fraudulently-obtained code-signing certificates masquerading as legitimate trading/price- prediction tools.

ORB + L2TP IPsec + commercial VPN (ExpressVPN + NordVPN + TorGuard final hop) multi-hop tunneling infrastructure.

definitive DPRK attribution via Mandiant operational OPSEC fumble revealing UNC4899 connecting directly to attacker-controlled ORB from Ryugyong-dong Pyongyang 175.45.178.0/24 netblock.

operationally distinct from sibling DPRK clusters in corpus (lazarus_group parent umbrella + apt38_bluenoroff SWIFT bank theft + andariel + sapphire_sleet crypto theft via social engineering only + moonstone_sleet DeTankWar fake game + citrine_sleet + contagious_interview + kimsuky espionage + apt37_reaper espionage + darkseoul_operators historical, all curated separately) through signature supply-chain compromise tradecraft + cryptocurrency theft mission focus.

fills DPRK supply-chain specialist cell in the curated corpus as 11th DPRK cluster.

north_korea confidence: high 17 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Jade Sleet / TraderTraitor / UNC4899 / Pressure Chollima (canonical US Government / CISA / FBI / Treasury naming "TraderTraitor" per April 2022 joint advisory.

Microsoft canonical naming "Jade Sleet" per July 2023.

Mandiant / Google Threat Intelligence Group canonical naming "UNC4899".

CrowdStrike canonical naming "Pressure Chollima"; Proofpoint canonical naming "TA444".

Palo Alto Networks Unit 42 canonical naming "Slow Pisces".

industry research naming "Pukchong") is the Democratic People's Republic of Korea (DPRK) Reconnaissance General Bureau (RGB), likely 3rd Bureau of Foreign Intelligence, financially-motivated cryptocurrency-focused subgroup of the broader Lazarus Group RGB ecosystem. DPRK attribution operates at the highest confidence assessment level with formal US Government attribution via April 2022 FBI + CISA + Treasury joint advisory. Per Mandiant operational OPSEC fumble: UNC4899 connected directly to attacker-controlled ORB from Ryugyong-dong Pyongyang 175.45.178.0/24 netblock, operationally providing definitive North Korea attribution evidence. Active publicly since 2020 (TraderTraitor era) with primary operational mission objectives of cryptocurrency theft for DPRK regime nuclear weapons program funding and international sanctions circumvention. Operationally responsible for the largest cryptocurrency thefts in history, ByBit Safe{Wallet} $1.5B+ ETH heist 2024-25 (largest crypto heist ever at time) + DMM Bitcoin $308M heist 2024. Operational phases: (1) OPERATIONAL EMERGENCE (2020). Trojanized cryptocurrency applications (DAFOM, TokenAIS, CryptAS) with fraudulently- obtained code-signing certificates. JavaScript + Node.js + Electron framework. (2) APPLEJEUS EARLIER ERA. Trojanized cryptocurrency wallet platform operations. (3) FBI + CISA + TREASURY JOINT ADVISORY (April 2022). Formal US Government attribution. (4) JUMPCLOUD SUPPLY CHAIN COMPROMISE (June 22, 2023). Sophisticated spear-phishing against JumpCloud zero-trust directory platform. Init.rb malicious Ruby script via JumpCloud agent. FULLHOUSE.DOORED + STRATOFEAR backdoors. TIEDYE evolving macOS backdoor (Mach-O xpc.protect). macOS keychain targeting. Fewer than 5 customers / less than 10 devices impacted. (5) GITHUB + NPM SOCIAL ENGINEERING (July 2023). Fake recruiter personas on GitHub + LinkedIn + Slack + Telegram. High-paying job offer lures. GitHub repository collaboration invites. Targets: blockchain + cryptocurrency + online gambling + cybersecurity employees. (6) MANDIANT CANONICAL UNC4899 DISCLOSURE (July 24, 2023). Definitive Pyongyang attribution via OPSEC slip. (7) DMM BITCOIN $308M HEIST (May 2024). Ginco developer compromised via GitHub coding challenge. RN Loader + RN Stealer Python malware. SSH key + session cookie theft. 4,502.9 BTC exfiltrated. (8) BYBIT SAFE{WALLET} $1.5B+ ETH HEIST (Late 2024 / 2025). Largest cryptocurrency heist in history. macOS developer workstation compromise via malicious Python app + Docker image. AWS session token theft bypassing MFA. Safe{Wallet} Next.js frontend JavaScript injection redirecting transactions. (9) CONTINUED OPERATIONS (2024-2026). Sustained operational tempo blending phishing with supply-chain tactics.

Signature operational tradecraft
  • Supply-chain compromise targeting cloud service providers (signature; cluster-defining): JumpCloud cloud identity provider compromise abusing privileged access to push malicious updates to downstream cryptocurrency customers. Pattern operationally extended into broader DPRK ecosystem 2023+ (3CX + X_TRADER + JumpCloud cluster of supply-chain compromises).
  • Trojanized cryptocurrency applications: signature malware family (DAFOM, TokenAIS, CryptAS, AppleJeus) with polished websites and fraudulently-obtained code-signing certificates.
  • GitHub + npm package compromise: signature 2023 tradecraft, malicious npm packages + GitHub repository collaboration lures.
  • Fake recruiter LinkedIn / Slack / Telegram personas: signature social engineering tradecraft offering high- paying jobs to entice cryptocurrency-industry employees.
  • macOS-targeting malware capability: signature TIEDYE Mach-O backdoor + macOS keychain targeting + malicious Python app + Docker image compromise.
  • AWS session token theft bypassing MFA: signature cloud-credential theft tradecraft enabling cloud-environment compromise without MFA challenge.
  • Safe{Wallet} Next.js frontend JavaScript injection: signature transaction-redirect tradecraft for cryptocurrency theft via web application compromise.
  • ORB + L2TP IPsec + commercial VPN infrastructure: signature multi-hop tunneling tradecraft for source address obfuscation.
  • Ryugyong-dong Pyongyang 175.45.178.0/24 attribution indicator: signature DPRK netblock revealed via OPSEC slip. The cluster fills the DPRK supply-chain specialist / cryptocurrency theft cell in this curated corpus, operationally the 11th DPRK cluster, distinct from sibling DPRK clusters (lazarus_group, apt38_bluenoroff, andariel, sapphire_sleet, moonstone_sleet, citrine_sleet, contagious_interview, kimsuky, apt37_reaper, darkseoul_operators, all curated separately) through signature supply-chain compromise tradecraft + cryptocurrency mission focus. Responsible for the largest cryptocurrency thefts in history at time of writing.

Aliases

17
tradertraitortrader traitortrader_traitorjade_sleetjade sleetunc4899unc 4899pressure_chollimapressure chollimata444ta 444slow_piscesslow piscespukchongjade_sleet_tradertraitortradertraitor aptdprk crypto theft cluster

Notable Campaigns

9
2024-2026Continued Operations Through 2024-2026
2024-2025ByBit Safe{Wallet} $1.5B+ ETH Heist (Late 2024 / 2025)
2024DMM Bitcoin $308M Heist (May 2024)
2023JumpCloud Supply Chain Compromise (June 22, 2023)
2023GitHub + npm Social Engineering Campaign (July 2023)
2023Mandiant Canonical UNC4899 Disclosure (July 24, 2023)
2023Broader DPRK Supply Chain Pattern Context (3CX + X_TRADER)
2022FBI + CISA + US Treasury Joint Advisory, TraderTraitor Canonical US Government Attribution (April 2022)
2020TraderTraitor Operational Emergence (2020)

Attribution & Reporting

Attributed by
FBI (US Federal Bureau of Investigation, April 2022 joint advisory)CISA (US Cybersecurity and Infrastructure Security Agency, April 2022 joint advisory)US Department of Treasury (April 2022 joint advisory)Mandiant / Google Threat Intelligence Group (canonical UNC4899 naming)Microsoft Threat Intelligence Center (Jade Sleet canonical naming July 2023)CrowdStrike (Pressure Chollima naming)Proofpoint (TA444 naming)Palo Alto Networks Unit 42 (Slow Pisces naming)GitHub Security Lab (Alexis Wales VP Security Operations, July 2023 disclosure)JumpCloud (incident response July 2023)CrowdStrike (JumpCloud incident response provider July 2023)SentinelOne / SentinelLabsWiz Threat ResearchBrandefenseJapan NPA (National Police Agency, public attribution of DMM Bitcoin theft)Symantec / Broadcom Threat Hunter TeamSOPHOS X-OpsTrend MicroCitizen Lab (University of Toronto)Codenotary
Key reporting
reportFBI + CISA + US Treasury Joint Advisory AA22-108A, TraderTraitor canonical advisory (April 2022), formal US Government DPRK attribution
reportMandiant (Google Cloud Threat Intelligence Group): North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack (July 24, 2023), canonical UNC4899/JumpCloud disclosure
reportGitHub Security Lab (Alexis Wales): Security alert: social engineering campaign targets technology industry employees (July 18, 2023), canonical GitHub/npm social engineering disclosure
reportMicrosoft Threat Intelligence Center: Jade Sleet cluster operational tracking (July 2023+)
reportCrowdStrike: Pressure Chollima continued tracking
reportProofpoint: TA444 continued tracking
reportPalo Alto Networks Unit 42: Slow Pisces continued tracking
reportJumpCloud: July 2023 incident update + IOC disclosure
reportSentinelOne / SentinelLabs: JumpCloud DPRK attribution (July 2023)
reportWiz Threat Research: TraderTraitor Deep Dive (July 2025)
reportBrandefense: TraderTraitor APT 2025 Profile
reportJapan NPA (National Police Agency): DMM Bitcoin theft attribution to North Korea / Lazarus / TraderTraitor
reportCodenotary: Decoding the UNC4899 Supply Chain Attack
reportSymantec / Broadcom Threat Hunter Team: TraderTraitor adjacent tracking
reportSOPHOS X-Ops: TraderTraitor operational profile
reportMITRE ATT&CK Group G0032, Lazarus Group (encompasses TraderTraitor)
reportMalpedia Actor Profile: TraderTraitor

Operational

State sponsor

Democratic People's Republic of Korea (DPRK) Reconnaissance General Bureau (RGB), specifically the RGB's 3rd Bureau of Foreign Intelligence per Brandefense + industry consensus analysis. The DPRK attribution operates at the highest confidence assessment level across multiple major cybersecurity industry analysts AND has received formal US Government attribution via the April 2022 joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Department of Treasury.

Per Wiz Threat Research: "'TraderTraitor' was originally a codename used by the U.S. government to describe a cluster of North Korean state-sponsored cyber activity. In an April 2022 joint advisory, the FBI, CISA, and U.S. Treasury confirmed that the DPRK-backed entities behind TraderTraitor are tracked as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima." The cluster operates as a financially-motivated subgroup of the broader Lazarus Group RGB ecosystem (parent cluster curated separately as lazarus_group.yaml in this corpus).

Per Mandiant / Google Threat Intelligence Group: "Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB)." Vietnamese / Asian-aligned attribution is NOT applicable, DPRK attribution is formal and well-established. However, attribution-evidence streams worth noting: (a) Mandiant operational OPSEC fumble evidence: per Mandiant July 2023 disclosure: "We observed UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet", operationally identified as Ryugyong-dong district of Pyongyang, North Korea netblock. Additionally: "we observed the DPRK threat actor log directly into a Pyongyang IP, from one of their jump boxes." Per Mandiant: "Our evidence supports that this was an OPSEC slip up since the connection to the North Korean netblock was short-lived." The Ryugyong-dong-Pyongyang IP block direct connection operationally provides definitive attribution evidence to North Korea.

(b) Operational infrastructure pattern: per Mandiant analysis: "RGB units utilize a series of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to obscure their source address. Mandiant observed UNC4899 utilize various VPN providers as a final hop, the most common being ExpressVPN, but connections to NordVPN, TorGuard and many other providers have also been observed." The ORB-plus-L2TP-IPsec-plus-commercial-VPN infrastructure tradecraft pattern is operationally consistent across RGB-aligned clusters in the curated corpus (lazarus_group, apt38_bluenoroff, andariel, sapphire_sleet, moonstone_sleet, citrine_sleet, contagious_interview). (c) Operational overlap with sibling DPRK clusters: per Mandiant: "Mandiant has observed overlap amongst multiple North Korean groups that fall under the RGB.

These groups commonly share infrastructure to complete their actions on objectives. Mandiant has observed UNC2970, APT43, and UNC4899 all utilize similar infrastructure." The infrastructure-sharing pattern operationally consistent with RGB-controlled operational support providing common infrastructure across multiple sub-clusters. Operational mission objective is financially-motivated: DPRK regime crypto theft to fund nuclear weapons programs and circumvent international sanctions.

Per Brandefense: "Unlike the espionage-focused branches of Lazarus, TraderTraitor mainly aims for financial gain. Its actions directly serve to generate funds for the DPRK regime, supporting nuclear weapons programs, evading international sanctions, and maintaining state operations." Operational significance: TraderTraitor is operationally responsible for some of the largest cryptocurrency thefts in history, DMM Bitcoin $308M heist 2024 + ByBit $1.5B+ ETH heist 2024-25, operationally elevating the cluster among the most consequential financially-motivated cyber- threat actors in publicly-tracked industry analysis.

Motivations
dprk_state_sanctions_evasion_financial_gain, cryptocurrency_theft_for_dprk_regime, blockchain_industry_targeting, cloud_service_provider_supply_chain_compromise, software_development_platform_targeting_via_github_npm, cryptocurrency_developer_targeting, cryptocurrency_exchange_compromise, fintech_targeting, dprk_nuclear_weapons_program_funding, international_sanctions_circumvention
Sectors
cryptocurrency_exchangescryptocurrency_developersblockchain_companiesblockchain_platformsdefi_decentralized_financenft_marketplacesonline_gamblingcybersecurity_companiescloud_service_providerssoftware_solutions_providersidentity_and_access_management_providerssoftware_development_platformsmacos_using_developersaws_using_developersbitcoin_companiesethereum_companies
Regions
united_statessouth_koreahong_kongsingaporejapanglobal_cryptocurrency_ecosystemglobal_cloud_services_customers

Techniques Used

60
T1003T1005T1010T1016T1018T1020T1021T1021.001T1021.004T1027T1027.001T1027.002T1027.005T1029T1033T1036T1036.005T1039T1041T1048T1053T1053.003T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.004T1059.006T1059.007T1068T1069T1070T1070.004T1071T1071.001T1074T1074.001T1078T1078.004T1080T1082T1083T1087T1090T1090.001T1090.002T1095T1106T1115T1119T1129T1133T1140T1190T1195T1195.001T1195.002

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)24/60 · 40%
Runtime / container (Falco)10/60 · 16%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MALICIOUS DOCKER IMAGEMALICIOUS NPM PACKAGESMALICIOUS PYTHON APP LURESSAFE WALLET NEXTJS FRONTEND JAVASCRIPT INJECTIONSTRATOFEAR
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin