North Korean Hackers Linked to $308 Million DMM Bitcoin Heist

Japanese and U.S. authorities have formally attributed the $308 million cryptocurrency theft from DMM Bitcoin in May 2024 to North Korean cyber actors. The U.S. Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center, and Japan’s National Police Agency identified the attackers as members of the TraderTraitor group, also known as Jade Sleet, UNC4899, and Slow Pisces.

Sophisticated Social Engineering Tactics

The theft stemmed from a social engineering campaign targeting multiple employees at the same time, a hallmark of TraderTraitor operations. The group has been active since at least 2020 and is notorious for using job-themed schemes and malicious GitHub projects to infect targets with malware.

In this case, attackers contacted an employee at Ginco, a Japan-based cryptocurrency wallet software company, in March 2024. Posing as recruiters, they sent a URL containing malicious Python code hosted on GitHub as part of a fake pre-employment test. The compromised employee, who had access to Ginco’s wallet management system, unknowingly exposed sensitive credentials.

The Attack on DMM Bitcoin

In mid-May 2024, the threat actors exploited session cookies to impersonate the compromised employee and accessed Ginco’s unencrypted communications system. By late May, they manipulated a legitimate transaction request from a DMM Bitcoin employee, facilitating the theft of 4,502.9 BTC, worth $308 million at the time.

The stolen cryptocurrency was moved to TraderTraitor-controlled wallets. Blockchain intelligence firm Chainalysis revealed the attackers used Bitcoin CoinJoin Mixing Service to launder funds before transferring portions through bridging services. The funds eventually ended up at HuiOne Guarantee, a marketplace tied to Cambodia’s HuiOne Group, previously implicated in cybercrime activities.

DMM Bitcoin Shuts Down Operations

DMM Bitcoin, grappling with the fallout of the attack, ceased its operations earlier this month. The breach underscores the persistent threat North Korean groups pose to the cryptocurrency industry.

Broader Cyber Threat Landscape

The AhnLab Security Intelligence Center (ASEC) reported that Andariel, a subgroup of North Korea’s Lazarus Group, is deploying the SmallTiger backdoor in attacks targeting South Korean financial firms. These coordinated efforts highlight North Korea’s aggressive pursuit of cryptocurrency to fund its activities.