Japanese and U.S. authorities formally attributed the May 2024 cyberattack on DMM Bitcoin, a prominent cryptocurrency exchange, to North Korean cyber actors.
Japanese and U.S. authorities formally attributed the May 2024 cyberattack on DMM Bitcoin, a prominent cryptocurrency exchange, to North Korean cyber actors. The breach resulted in the theft of $308M in digital assets.
The agencies stated that the theft is linked to TraderTraitor threat activity, also tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor is known for targeted social engineering attacks aimed at multiple employees of the same company at once.
The U.S. Federal Bureau of Investigation (FBI), The Department of Defence Cyber Crime Center, and Japan’s National Police Agency jointly issued the alert. In response to the hack, DMM Bitcoin discontinued its operations earlier this month.
TraderTraitor is a North Korea-associated threat group active since at least 2020. It is notorious for exploiting companies in the Web3 sector by deceiving victims into installing malware-infected cryptocurrency applications, leading to significant theft.
The incident traces back to March 2024, when one of the hackers, impersonating a recruiter on LinkedIn, approached an employee at Ginco, a Japan-based crypto wallet software company.
According to the FBI, the threat actor shared a URL disguised as a pre-employment test hosted on a GitHub page. The link led to a malicious Python script targeting the employee who had access to Ginco’s wallet management system.
The targeted employee unknowingly copied the malicious Python code to their personal GitHub page, which compromised their system and allowed TraderTraitor to execute their attack.
In mid-May, the TraderTraitor hackers infiltrated Ginco’s unencrypted communication system, using session cookie data to impersonate the compromised employee.
By late May, the FBI reported that the attackers likely used this access to alter a legitimate transaction request from a DMM Bitcoin employee, resulting in the theft of 4,502 BTC, valued at around $308 million. The stolen cryptocurrency was then moved to wallets controlled by TraderTraitor.
After successfully laundering the stolen funds through the Bitcoin Coin Mixing Service, the attackers routed a portion of the funds through several bridging services before transferring them to HuiOne Guarantee, an online marketplace associated with the Cambodian conglomerate HuiOne Group. This group had previously been identified as a major player in facilitating cybercrimes.
In related developments, the AhnLab Security Intelligence Center (ASEC) disclosed that the North Korean threat group Andariel, a sub-cluster within the Lazarus Group, is now using the SmallTigerbackdoor in attacks aimed at South Korean asset management and document centralisation solutions.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.