In a bold cyber heist, North Korean hackers have stolen $308 million in Bitcoin from Japan-based cryptocurrency firm DMM Bitcoin, sparking international investigations and raising alarms about the growing threat of state-sponsored cybercrime.
Authorities in Japan and the U.S. officially attributed the May 2024 attack to North Korea-linked threat actors associated with the TraderTraitor group, also tracked under aliases such as Jade Sleet, UNC4899, and Slow Pisces. This notorious cluster has a long history of targeting the Web3 sector through social engineering and malware-laced apps.
The Perfect Heist
The attackers used a sophisticated chain of techniques to execute the breach. In March 2024, they posed as a recruiter to contact an employee at Ginco, a Japanese cryptocurrency wallet software company. Under the guise of a pre-employment test, the hackers sent a malicious Python script hosted on GitHub.
When the unsuspecting employee uploaded the script to their personal GitHub page, the attackers gained access to Ginco’s wallet management system. By mid-May, they exploited session cookie information to impersonate the compromised employee, accessing Ginco’s unencrypted communications system.
In late May, the hackers manipulated a legitimate transaction request by a DMM Bitcoin employee, siphoning off 4,502.9 BTC—worth $308 million at the time—into wallets controlled by TraderTraitor.
A Global Cybersecurity Crisis
The stolen funds were swiftly funneled through Bitcoin CoinJoin Mixing Services to obscure their trail. Chainalysis, a blockchain intelligence firm, reported that portions of the funds were later transferred through bridging services and eventually linked to HuiOne Guarantee, an online marketplace tied to the Cambodian conglomerate HuiOne Group, previously exposed for facilitating cybercrimes.
This isn’t TraderTraitor’s first strike. Known for job-themed social engineering campaigns, the group has been active since at least 2020, targeting vulnerabilities in infrastructure and deploying malicious npm packages. They are also infamous for their breach of JumpCloud’s systems in 2023.
The Fallout
DMM Bitcoin ceased operations earlier this month in the wake of the hack, leaving the cryptocurrency industry on edge. The heist has spotlighted the urgent need for stronger cybersecurity protocols in the Web3 space, where vulnerabilities can lead to massive financial losses.
“The theft underscores the advanced tactics used by North Korea-backed actors and the dangers of unencrypted communications and insufficient employee training,” noted the FBI and Japan’s National Police Agency in a joint statement.
A Growing Threat from North Korea
The cyberattack coincides with revelations from the AhnLab Security Intelligence Center, which identified another North Korean-linked subgroup, Andariel, as deploying the SmallTiger backdoor to target South Korean asset management systems. These operations further highlight Pyongyang’s strategic focus on cybercrime to fund its regime.
The Road Ahead
As authorities work to trace the stolen funds and dismantle TraderTraitor’s network, the DMM Bitcoin heist serves as a stark reminder of the vulnerabilities within the crypto industry. For businesses and investors, it’s a call to action to bolster security measures against the rising tide of state-sponsored cybercrime.
Stay tuned for updates on this evolving story and tips to secure your digital assets.
Source: The Hacker News
