Authorities from Japan and the United States have identified North Korean cyber actors as the culprits behind the theft of $308 million worth of cryptocurrency from DMM Bitcoin in May 2024. This cyber heist was officially attributed to North Korean-linked TraderTraitor threat activity, which is also recognized under aliases such as Jade Sleet, UNC4899, and Slow Pisces.<\/p>\n
The hacking group’s activities often involve highly coordinated social engineering efforts targeting multiple employees within the same organization simultaneously, according to statements from the U.S. Federal Bureau of Investigation (FBI)<\/a>, the Department of Defense Cyber Crime Center, and Japan’s National Police Agency. This disclosure follows DMM Bitcoin’s decision to cease its operations earlier this month as a direct result of the breach.<\/p>\n TraderTraitor is a persistent threat group that has been active since at least 2020. It frequently targets companies operating in the Web3 sector, often by enticing victims to download malware-infected cryptocurrency applications. This approach enables the group to facilitate theft on a significant scale.<\/p>\n In recent years, the group has executed a variety of attacks leveraging job-related social engineering tactics. These campaigns include reaching out to potential targets under the guise of recruiting or collaborating on GitHub projects, which often result in the distribution of malicious npm packages. One of the group’s most infamous exploits was its unauthorized access to JumpCloud’s systems last year, targeting a select group of downstream customers.<\/p>\n The attack on DMM Bitcoin followed a similar pattern. In March 2024, a TraderTraitor operative posed as a recruiter to approach an employee of Ginco, a cryptocurrency wallet<\/a> software company based in Japan. The operative shared a malicious Python script hosted on GitHub, disguised as part of a pre-employment test. Unfortunately, the employee, who had access to Ginco’s wallet management system, inadvertently compromised the company’s security by copying the script to their personal GitHub account.<\/p>\n In mid-May 2024, the attackers escalated their efforts by exploiting session cookie information to impersonate the compromised Ginco employee. This allowed them to access Ginco’s unencrypted communications system. By late May 2024, the threat actors manipulated a legitimate transaction request from a DMM Bitcoin employee, ultimately stealing 4,502.9 BTC, valued at $308 million at the time. The stolen funds were traced to wallets under TraderTraitor’s control.<\/p>\n This disclosure aligns with findings from Chainalysis, a blockchain intelligence firm,<\/a> which also linked the DMM Bitcoin hack to North Korean cybercriminals. According to Chainalysis, the attackers exploited infrastructure vulnerabilities to execute unauthorized withdrawals.<\/p>\n 🚨🇰🇵NORTH KOREAN HACKERS HIT IT BIG IN 2024<\/p>\n They doubled their 2023 haul, stealing $1.3 billion in crypto this year, according to Chainalysis.<\/p>\n Using tactics like posing as remote IT workers, they infiltrated firms to fund Pyongyang’s weapons programs and dodge sanctions.<\/p>\n Major… pic.twitter.com\/RppswOHaRC<\/a><\/p>\n — Mario Nawfal (@MarioNawfal) December 23, 2024<\/a><\/p><\/blockquote>\nRecent Attack Strategies and the DMM Bitcoin Heist<\/h2>\n
\n