Japanese and U.S. authorities have confirmed that North Korean cyber actors, operating under the TraderTraitor group (also known as Jade Sleet, UNC4899, and Slow Pisces), were responsible for stealing $308 million in cryptocurrency from DMM Bitcoin in May 2024. The incident led to DMM Bitcoin’s closure earlier this month.
The attack, jointly investigated by the FBI, Department of Defense Cyber Crime Center, and Japan’s National Police Agency, revealed a sophisticated social engineering operation targeting Ginco, a Japanese cryptocurrency wallet software company.
Attack Methodology:
– In March 2024, attackers posed as recruiters and sent a malicious Python script to a Ginco employee
– The compromised employee had access to Ginco’s wallet management system
– By mid-May 2024, attackers exploited session cookie information to access Ginco’s unencrypted communications
– The breach culminated in the theft of 4,502.9 BTC ($308 million) through manipulation of legitimate transaction requests
TraderTraitor, active since 2020, is known for:
– Targeting Web3 sector companies
– Using job-themed social engineering campaigns
– Deploying malicious cryptocurrency apps
– Previously compromising JumpCloud’s systems
According to Chainalysis, the stolen funds were:
1. Moved through intermediary addresses
2. Processed through Bitcoin CoinJoin Mixing Service
3. Transferred via bridging services
4. Finally reached HuiOne Guarantee, a Cambodian marketplace linked to cybercrime activities
This incident highlights the ongoing threat posed by North Korean cyber actors to cryptocurrency platforms and emphasizes the importance of robust security measures in the digital asset sector.