Identifying North Korean Cyber Actors: TraderTraitor Investigation by FBI, DC3, and NPA

The FBI, along with the Department of Defense Cyber Crime Center and the National Police Agency of Japan, have issued a warning to the public about the theft of $308 million in cryptocurrency from the Japan-based company DMM by North Korean cyber actors in May 2024. These cyber actors are linked to TraderTraitor threat activity and are also known as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor is known for its targeted social engineering tactics, where multiple employees of the same company are approached simultaneously.

The theft began in late March 2024 when a North Korean cyber actor posed as a recruiter on LinkedIn and contacted an employee at Ginco, a cryptocurrency wallet software company in Japan. The actor sent a malicious Python script disguised as a pre-employment test, which the employee unknowingly copied to their personal GitHub page, leading to a compromise of their system. By mid-May 2024, TraderTraitor actors used session cookie information to impersonate the compromised employee and gain access to Ginco’s unencrypted communications system. This access was then used in late May 2024 to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, valued at $308 million at the time.

The stolen funds were ultimately traced to TraderTraitor-controlled wallets. The FBI, along with the National Police Agency of Japan and other international partners, are committed to exposing and combating North Korea’s illicit activities, including cybercrime and cryptocurrency theft, to prevent the generation of revenue for the regime. Stay informed and vigilant to protect yourself from cyber threats in the ever-evolving digital landscape.