North Korean Hackers Steal $308M in Bitcoin from DMM Crypto Firm
Japanese and U.S. authorities have determined that North Korean cyber actors were behind the theft of $308 million in cryptocurrency from DMM Bitcoin in May 2024. This cybercrime was part of TraderTraitor threat activity, which is also known as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor is a persistent threat group with a history of targeting companies in the Web3 sector, using social engineering to trick employees into downloading malware-laced cryptocurrency apps in order to steal funds. This group has been active since at least 2020.
The U.S. Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, and the National Police Agency of Japan issued an alert about this theft. It’s important to note that DMM Bitcoin ceased operations earlier this month.
The FBI documented an attack chain involving the North Korean threat actors contacting an employee at a cryptocurrency wallet software company called Ginco in March 2024. They posed as a recruiter, sending a link to a malicious Python script on GitHub as part of a fake pre-employment test. When the victim copied the code to their personal GitHub page, they unwittingly compromised the company’s wallet management system. By exploiting session cookie information, the cyber actors impersonated the employee and gained access to Ginco’s communications system, allowing them to manipulate a legitimate transaction request by a DMM employee in late May 2024.
After stealing the cryptocurrency, the funds were moved to TraderTraitor-controlled wallets. Chainalysis confirmed that the stolen funds from DMM Bitcoin were transferred to various intermediary addresses before going through a Bitcoin CoinJoin Mixing Service. The attackers then moved the funds through several services before reaching HuiOne Guarantee, an online marketplace associated with facilitating cybercrimes.
In addition, the AhnLab Security Intelligence Center reported that the North Korean threat actor Andariel, a sub-cluster within the Lazarus Group, is using the SmallTiger backdoor in attacks targeting South Korean asset management and document centralization solutions. This emphasizes the importance of cybersecurity measures to protect against such threats.
