Suspected North Korean Actors Target the Cryptocurrency Supply Chain

Cybersecurity researchers at Ctrl-Alt-Intel have released a detailed investigation into a systematic campaign targeting the heart of the cryptocurrency industry. The report exposes a threat actor that has been “systematically compromising cryptocurrency organisations: exploiting web application vulnerabilities, pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets”.

The campaign’s reach is extensive, spanning the entire crypto supply chain from staking platforms and exchange software providers to the exchanges themselves.

The threat actors utilized mass scanning to identify targets vulnerable to React2Shell (CVE-2025-55182). In one instance, researchers recovered evidence that the group successfully exfiltrated the backend source code of a “USDT staking” product.

A review of the exfiltrated .env files revealed highly sensitive environment variables, including NEXT_PUBLIC_TRON_PRIVATE_KEY. Researchers also discovered a Python script using the web3 library to retrieve wallet balances, with transactions indicating that approximately 52.6 TRX was likely stolen during the exploitation window.

Perhaps the most sophisticated element of the attack was the “Amazon Kill Chain,” where the actor leveraged valid AWS access tokens to move laterally and exfiltrate proprietary data.

• Credential Validation: The actor used the AWS CLI to validate tokens and immediately began enumerating S3 buckets and RDS databases.
• Lateral Movement: By successfully updating the kubeconfig file via AWS Elastic Kubernetes Service (EKS), the actor pivoted to the victim’s Kubernetes cluster.
• Container Exfiltration: Once inside, the group authenticated to the Elastic Container Registry (ECR) and exfiltrated five Docker images containing “proprietary cryptocurrency exchange code, secrets, and internal configuration data”.
• Secret Pillaging: The group also “pillaged the AWS Secrets Manager service” to retrieve plaintext values for high-value API keys and database credentials.

The threat actor leveraged the VShell server for command and control (C2), alongside FRP (Fast Reverse Proxy) for persistent remote access. Interestingly, the FRP service was configured to run on port 53 (DNS), likely a tactical choice to blend in with legitimate network traffic.

Ctrl-Alt-Intel assesses with moderate confidence that this activity is linked to North Korean-affiliated (DPRK) operations. This assessment is based on:

• Targeting Patterns: Similarities to known DPRK groups like Trader Traitor (UNC4899), which has a history of targeting crypto supply chain providers.
• Cloud Tradecraft: The use of stolen session tokens to inject malicious code into S3-hosted frontends mirrors past DPRK heists.
• South Korean Infrastructure: The use of South Korean VPN nodes and VPS infrastructure could “complicate analysis by making activity appear to originate from a domestic South Korean actor”.

While the group did not execute a mass theft during the observation period, the “pattern of stealing backend source code, database credentials, private keys, and proprietary exchange software is consistent with pre-positioning for future theft”.