North Korea crypto supply chain hack: how to check if your wallet was affected

TraderTraitor strikes again: this time the entire crypto supply chain

The TraderTraitor hacker group, linked to the North Korean government and attributed by security firms to the Lazarus Group / UNC4899 unit, has executed one of the most sophisticated attacks on the crypto ecosystem: compromising the complete supply chain of staking platforms, stealing source code, private keys, and sensitive cloud data.

This is the same group responsible for the $1.5 billion theft from Bybit in February 2026 — the largest crypto hack in history. According to Ctrl-Alt-Intel's report, the attack compromised multiple supply chain platforms that provide infrastructure to hundreds of exchanges and wallets.

How the attack worked (supply chain)

Rather than directly hacking an exchange, TraderTraitor attacked infrastructure providers: the companies that write the code, libraries, and cloud services that exchanges depend on. This lets them compromise many targets at once.

Affected platforms

For active security reasons, research firms haven't published the full list. Ctrl-Alt-Intel confirms at least 12 staking platforms and 3 blockchain infrastructure providers were compromised. Full disclosure is expected in the coming days.

How to check if your wallet or exchange was affected

Here are the warning signs you should verify today:

1. Unauthorized transactions: Check your full wallet history for the past 30 days on Etherscan (ETH), Solscan (SOL), or your blockchain's explorer
2. Contract permissions: Use revoke.cash to view and revoke DeFi app permissions on your wallet
3. Platform emails: Watch for official communications from affected platforms in the coming days
4. API key activity: If you use exchange APIs, review your access history immediately

# Check active permissions on your Ethereum wallet:
# 1. Go to https://revoke.cash
# 2. Connect your wallet (MetaMask, WalletConnect)
# 3. Select your network (Ethereum, Polygon, BSC, etc.)
# 4. Revoke any permissions from contracts you don't recognize

# To verify recent Ethereum transactions:
curl "https://api.etherscan.io/api?module=account&action=txlist&address=YOUR_ADDRESS&startblock=0&endblock=99999999&sort=desc&apikey=YourApiKeyToken"

Immediate actions if you use staking or DeFi

• Move funds to a cold wallet (hardware wallet: Ledger, Trezor) if you have significant assets on staking platforms
• Change all passwords on exchanges and enable 2FA with an authenticator app (not SMS)
• Revoke DeFi permissions you don't actively use via revoke.cash or Debank
• Set up monitoring alerts on Etherscan for your address
• Never reuse compromised private keys: If a key was ever on a compromised server, consider that wallet dead

Common issues when responding to the hack

Issue 1: "I don't know how to check if my wallet was affected without technical tools." Solution: use DeBank — connect your wallet and go to the "Approval" section. It visually shows all contracts with permissions over your tokens.

Issue 2: "My funds are staked and I can't withdraw them immediately." ETH unbonding periods are 3-7 days. Solution: start the unstaking process now while you assess the risk. Meanwhile, change all platform credentials.

Issue 3: "How do I know if the exchange I use was compromised?" Solution: follow the exchange's official channels on X and Telegram. Compromised exchanges are legally required to notify. If you haven't received communication within 72 hours, contact support directly.

North Korea's pattern: stealing to fund the regime

According to Chainalysis analysis, North Korea-linked hackers stole over $3 billion in crypto between 2022 and 2025, funds used to finance the ballistic missile program. In my experience covering crypto security, TraderTraitor is the world's most sophisticated group in this space.

Additional resources

• Revoke.cash - Revoke DeFi permissions
• Etherscan - Verify Ethereum transactions
• Chainalysis - 2025 Crypto Hacking Report
• DeBank - DeFi wallet monitor and manager