North Korean Hackers Steal $308 Million from DMM Bitcoin Exchange

The Federal Bureau of Investigation, Department of Defense Cyber Crime Center (DC3), and Japan's National Police Agency (NPA) have identified a sophisticated cryptocurrency theft orchestrated by North Korean cyber actors targeting DMM Bitcoin in May 2024. The attack resulted in the loss of $308 million worth of Bitcoin, highlighting the ongoing threat posed by state-sponsored cybercriminal groups.

The theft is attributed to the notorious TraderTraitor threat group, also tracked under aliases including Jade Sleet, UNC4899, and Slow Pisces. These actors are known for their intricate social engineering campaigns that typically target multiple employees within an organization simultaneously.

The attack's genesis can be traced back to late March 2024, when a North Korean cyber actor posing as a recruiter on LinkedIn contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The threat actor sent the target a URL containing a malicious Python script, disguised as a pre-employment test hosted on a GitHub page. The unsuspecting victim copied the Python code to their personal GitHub page, inadvertently compromising their system.

By mid-May 2024, the TraderTraitor actors exploited session cookie information to impersonate the compromised employee, gaining unauthorized access to Ginco's unencrypted communications system. In late May, they manipulated a legitimate transaction request from a DMM employee, resulting in the theft of 4,502.9 BTC, valued at $308 million at the time of the attack.

Blockchain intelligence firm Chainalysis confirmed that the stolen funds were subsequently moved to wallets controlled by the TraderTraitor group. The attackers employed sophisticated techniques to obscure the stolen cryptocurrency, including routing the funds through CoinJoin Mixing Services and linking them to HuiOne Guarantee, a marketplace associated with facilitating cybercrime.

This incident is part of a broader pattern of cryptocurrency theft by North Korean state-affiliated threat actors. The AhnLab Security Center has also reported ongoing activities by Andariel, a sub-group of the Lazarus Group, which continues to target various financial and technological sectors.

U.S. authorities have been monitoring TraderTraitor's activities since 2022, when the group began targeting the blockchain space with fake applications. In 2023, GitHub had already warned about a social engineering campaign conducted by these threat actors, targeting developers in blockchain, cryptocurrency, online gambling, and cybersecurity sectors.

The DMM Bitcoin platform was forced to cease operations following the breach, temporarily suspending account registrations, cryptocurrency withdrawals, and trading. This attack underscores the persistent and evolving threat posed by North Korean cyber actors to the global cryptocurrency ecosystem.

Law enforcement agencies, including the FBI, National Police Agency of Japan, and other international partners, continue to work diligently to expose and combat these illicit activities designed to generate revenue for the North Korean regime.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.

You may also like these articles: