Key Highlights
- North Korea-linked hackers targeted crypto platforms and staking services, stealing source code, private keys, and sensitive cloud data across the entire supply chain.
- Attackers exploited AWS credentials, Docker, and Kubernetes, showing advanced cloud hacking skills.
- Security firm Ctrl-Alt-Intel attributes the campaign to TraderTraitor (UNC4899), the same group behind the $1.5 billion Bybit hack and the 2023 JumpCloud supply chain breach.
A hacking campaign tied to North Korea has hit multiple cryptocurrency platforms, staking services, and exchange software vendors. According to security firm Ctrl-Alt-Intel, the attackers exploited vulnerabilities in web applications and misused stolen AWS login credentials to infiltrate cloud environments and steal sensitive data.
As per the findings report, the attack affected the entire crypto supply chain, raising worries about possible future theft of digital assets. The hackers focused on stealing backend source code, Docker container images, and configuration files that contained sensitive information like passwords and keys.
Ctrl-Alt-Intel reported that the attackers used valid AWS credentials to explore cloud storage, Terraform files, Lambda functions, and Kubernetes clusters. They also ran large-scale scans to find React2Shell vulnerabilities in web applications, showing both their skill and the wide reach of the campaign.
Exploitation tactics and infrastructure
The attackers demonstrated highly advanced cloud hacking skills. They first checked that their access worked using AWS commands and quickly mapped out storage and database resources. Then, they copied Terraform configuration files, which can contain passwords, admin accounts, and internal network details, to find valuable information.
They also stole Docker images from Amazon’s container registry and explored Kubernetes pods to grab secrets stored in configuration files and AWS Secrets Manager. Ctrl-Alt-Intel confirmed that five Docker images were taken, all containing proprietary code for cryptocurrency exchanges.
The hackers operated through infrastructure based in South Korea, specifically the server 64.176.226[.]36 and the domain itemnania[.]com. They also used FlyVPN services to hide their true location. The report notes that security teams often focus on IPv4 addresses, so using IPv6 helped the attackers evade detection.
Attribution and threat context
Ctrl-Alt-Intel thinks it’s likely that North Korea-linked hackers carried out the attacks, probably the group called TraderTraitor (UNC4899). This group has a documented pattern of targeting crypto supply chain providers. It has previously targeted companies that provide software to crypto platforms, including JumpCloud in 2023 and Safe{Wallet}/ByBit in 2025. In those earlier attacks, they also misused AWS credentials and set up systems for possible future theft.
However, researchers caution that some details remain unclear. They do not know exactly how the hackers got the AWS credentials, and they didn’t find any malware uniquely tied to North Korea.
The attackers used tools called VShell and FRP to control systems remotely—tools often associated with Chinese hackers but publicly available. As a result, investigators rely on patterns of activity, the infrastructure used, and attack methods to connect the attacks to TraderTraitor rather than a single technical clue.
The attack represents a severe supply chain compromise. By stealing proprietary code and infrastructure blueprints today, these attackers are laying the groundwork for catastrophic financial exploits in the future.
Also Read: Vitalik Warns of ‘Authoritarian Wave,’ Calls for Rethinking Crypto Governance
