In May 2024, a sophisticated cyber attack led by North Korean hackers targeted Japan’s DMM Bitcoin exchange, resulting in the theft of cryptocurrency valued at $305 million. This high-profile heist has been officially attributed to the TraderTraitor threat group, also tracked as Jade Sleet, UNC4899, and Slow Pisces, by both the FBI and Japan’s National Police Agency. The attack was the result of a targeted social engineering campaign, where the hackers manipulated employees into downloading malware-laced applications. This attack is part of a larger, ongoing effort by North Korea to exploit vulnerabilities in the Web3 sector, a pattern that has been evident since 2020.
The attackers used deceptive tactics, posing as recruiters for a Japan-based cryptocurrency wallet software company, Ginco. One employee was sent a malicious Python script, disguised as a pre-employment test. When the victim copied the code to their personal GitHub page, it allowed the attackers to exploit vulnerabilities and gain access to Ginco’s wallet management system. This gave them the opportunity to execute their main attack in May, when they used the compromised session cookie information to impersonate an employee and initiate a fraudulent transfer of 4,502.9 BTC, valued at approximately $305 million.
The stolen funds were quickly moved across several addresses, employing a technique known as CoinJoin mixing to obfuscate the transactions. Using this method, the attackers were able to conceal their tracks before transferring the cryptocurrency to bridging services and, ultimately, to HuiOne Guarantee. This online marketplace, tied to the Cambodian conglomerate HuiOne Group, is known to be involved in facilitating cybercrimes, further complicating efforts to trace the stolen funds. The use of multiple laundering techniques has made it particularly challenging for authorities to track and recover the stolen assets.
The DMM Bitcoin hack serves as a stark reminder of the growing cyber threat posed by North Korean actors, especially within the cryptocurrency and blockchain sectors. The TraderTraitor group, which has been active for several years, continues to use highly effective social engineering tactics to infiltrate organizations. As cybersecurity measures evolve, it is crucial for firms in the Web3 space to adopt more stringent protocols and better educate employees about the risks posed by phishing and social engineering tactics. The international collaboration between U.S. and Japanese authorities emphasizes the need for a unified approach to combat cybercrime on a global scale.