Japanese and U.S. authorities have officially attributed a massive $308 million cryptocurrency theft from DMM Bitcoin in May 2024 to North Korean cybercriminals.
The Heist
According to an official joint statement, the theft is linked to the TraderTraitor threat group, also known as Jade Sleet, UNC4899, and Slow Pisces. This group is infamous for its use of targeted social engineering campaigns, often aimed at multiple employees within the same organization.
The findings were released by the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and Japan's National Police Agency. Following the attack, DMM Bitcoin ceased its operations earlier this month.
The TraderTraitor Threat
TraderTraitor, a North Korea-affiliated hacking group, has a long history of targeting Web3 companies. Their tactics involve tricking victims into downloading malware-laden cryptocurrency applications, which are then used to execute theft. Active since at least 2020, the group is known for leveraging social engineering techniques, such as job-themed lures or fake GitHub collaborations, to infiltrate targets.
In 2023, the group gained notoriety for compromising JumpCloud’s systems to attack downstream customers, showcasing its highly sophisticated approach to cyber intrusions.
Inside the DMM Bitcoin Attack
The latest attack follows a similar pattern. In March 2024, the threat actors posed as recruiters to contact an employee at Ginco, a Japan-based cryptocurrency wallet software company. The attackers sent the victim a malicious Python script hosted on GitHub, disguised as part of a pre-employment test.
After the employee copied the Python code to their personal GitHub page, the attackers exploited this access in mid-May 2024. Using stolen session cookies, they impersonated the compromised employee and accessed Ginco's unencrypted communications system.
By late May, the attackers leveraged their access to manipulate a legitimate transaction request made by a DMM Bitcoin employee. This resulted in the theft of 4,502.9 BTC, valued at $308 million at the time. The stolen funds were swiftly transferred to wallets controlled by the TraderTraitor group.
Post-Hack Findings
The blockchain analysis firm Chainalysis later confirmed that North Korean threat actors were behind the attack. According to their report, the stolen funds were initially moved to several intermediary addresses before being funneled through a Bitcoin CoinJoin Mixing Service to obscure their origin.
Some of the laundered funds were eventually sent through various bridging services and ended up at HuiOne Guarantee, an online marketplace linked to the Cambodian conglomerate HuiOne Group, which has a history of enabling cybercrime.
Broader Threat Landscape
This development comes as the AhnLab Security Intelligence Center (ASEC) reports new attacks by the North Korean hacking subgroup Andariel, part of the larger Lazarus Group. These attacks, which deploy the SmallTiger backdoor, have targeted South Korean asset management firms and document centralization systems.
The DMM Bitcoin heist serves as a stark reminder of the growing sophistication and persistence of North Korean cybercriminals, whose operations continue to target financial institutions and Web3 businesses globally.