Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators
Essential information
- Published
- 18/03/2026 10:49
- Modified
- 18/03/2026 11:21
- Tags
- 2026-03-18 beavertail bigsquatrat contagious trader cryptocurrency dprk exfiltration github golangghost invisibleferrett lazarus malware npm ottercookie pylangghost trading bots
- Related entities
- 5 observables, 1 intrusion sets (apt), 20 techniques (mitre), 7 malware, 11 others
Description
The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.