Federal investigators have shared details of a cryptocurrency heist targeting Japan-based Bitcoin.DMM.com. It resulted in the theft of $308 million worth of Bitcoin by North Korean cyber actors.
The Federal Bureau of Investigation (FBI) is working alongside the Department of Defense Cyber Crime Center (DC3) and Japan’s National Police Agency (NPA). They have identified the attack as the work of a known threat group called TraderTraitor. It operates under various aliases including Jade Sleet, UNC4899, and Slow Pisces.
The hackers orchestrated a complex operation that began with social engineering tactics on LinkedIn and culminated in the unauthorized transfer of 4,502.9 Bitcoin from DMM’s corporate wallets.
Hackers carried out a sophisticated social engineering attack
The attack began with an orchestrated social engineering campaign in late March 2024. The North Korean operatives identified and targeted an employee at Ginco, a Japanese enterprise cryptocurrency wallet software company that provided critical services to DMM.
The attackers chose their target strategically, focusing on an employee with access to Ginco’s wallet management system. The initial contact came through LinkedIn, where the attackers posed as professional recruiters.
This approach shows a growing trend in cyber attacks where legitimate professional networking platforms are used to establish credible first contact. The attackers crafted their communication to appear as a routine recruitment process.
– Advertisement –
The critical moment of compromise occurred when the attackers sent their target a URL linking to a malicious Python script, disguised as a coding test, hosted on GitHub.
The victim, following what appeared to be standard technical interview procedures, copied the Python code to their personal GitHub page, unknowingly executing the malicious script.
Technical execution of the heist
By mid-May 2024, having gained a foothold through the compromised GitHub code, the TraderTraitor group began the technical phase of their attack.
The hackers exploited session cookie information to impersonate the compromised Ginco employee, giving them access to the company’s communications system. This step allowed them to monitor and potentially manipulate legitimate transaction requests.
The attack began in late May when the hackers identified and intercepted a legitimate transaction request from a DMM employee. Using their compromised access, they manipulated the transaction parameters. It resulted in the unauthorized transfer of 4,502.9 BTC, valued at $308 million at the time.
The stolen funds were systematically moved through a series of transfers to wallets controlled by the TraderTraitor group. This made the recovery process extremely challenging for authorities.
FBI collaborated with Japan police
The investigation of this massive cryptocurrency theft shows cooperation between international law enforcement agencies. The FBI, working in close coordination with Japan’s National Police Agency and the Department of Defense Cyber Crime Center, shows how cyber threats now require global responses.
This collaboration has proven important in tracking the movement of stolen funds. As well as, identifying the attack patterns characteristic of the TraderTraitor group.
The incident highlights North Korea’s continuing efforts to generate revenue through cryptocurrency theft. It’s a pattern that has become increasingly concerning to international security agencies. Law enforcement officials note that these attacks are not isolated incidents. Instead, it’s part of a broader campaign to circumvent international sanctions.
