North Korean State Hackers Swipe $308M in Massive Bitcoin Heist, Forcing DMM Exchange Shutdown

North Korean State Hackers Swipe $308M in Massive Bitcoin Heist, Forcing DMM Exchange Shutdown

North Korean Hackers Behind $308M Cryptocurrency Heist from DMM Bitcoin

Japanese and U.S. authorities have confirmed that North Korean cyber actors, operating under the TraderTraitor group (also known as Jade Sleet, UNC4899, and Slow Pisces), were responsible for stealing $308 million in cryptocurrency from DMM Bitcoin in May 2024. The incident led to DMM Bitcoin’s closure earlier this month.

The attack, jointly investigated by the FBI, Department of Defense Cyber Crime Center, and Japan’s National Police Agency, revealed a sophisticated social engineering operation targeting Ginco, a Japanese cryptocurrency wallet software company.

Attack Methodology:
– In March 2024, attackers posed as recruiters and sent a malicious Python script to a Ginco employee
– The compromised employee had access to Ginco’s wallet management system
– By mid-May 2024, attackers exploited session cookie information to access Ginco’s unencrypted communications
– The breach culminated in the theft of 4,502.9 BTC ($308 million) through manipulation of legitimate transaction requests

TraderTraitor, active since 2020, is known for:
– Targeting Web3 sector companies
– Using job-themed social engineering campaigns
– Deploying malicious cryptocurrency apps
– Previously compromising JumpCloud’s systems

According to Chainalysis, the stolen funds were:
1. Moved through intermediary addresses
2. Processed through Bitcoin CoinJoin Mixing Service
3. Transferred via bridging services
4. Finally reached HuiOne Guarantee, a Cambodian marketplace linked to cybercrime activities

This incident highlights the ongoing threat posed by North Korean cyber actors to cryptocurrency platforms and emphasizes the importance of robust security measures in the digital asset sector.

Share This Article