North Korean Cyber Actors TraderTraitor Steal $308 Million in Cryptocurrency: DMM Breach Unveiled
The Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and Japan’s National Police Agency (NPA) have issued a joint press release detailing a major cryptocurrency theft. The heist, attributed to North Korean-linked threat actors, targeted Japan-based cryptocurrency company DMM, resulting in the loss of $308 million in Bitcoin during May 2024.
The operation has been linked to the infamous TraderTraitor threat group, also tracked under aliases such as Jade Sleet, UNC4899, and Slow Pisces. The group’s modus operandi involves highly sophisticated social engineering campaigns that often focus on infiltrating multiple employees of a single organization.
“TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously,” the FBI stated. This approach ensures that the group maximizes its chances of gaining access to critical systems and sensitive information.
The first domino fell in late March 2024, when a North Korean cyber actor masquerading as a recruiter reached out to an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. Under the pretense of a job opportunity, the attacker shared a GitHub link containing a malicious Python script disguised as a pre-employment test.
The victim, who maintained access to Ginco’s wallet management system, unknowingly copied the malicious code to their personal GitHub page, leading to a compromise. By mid-May, TraderTraitor actors had exploited session cookies to impersonate the compromised employee, gaining unauthorized access to Ginco’s unencrypted communications systems.
Using their foothold in Ginco, the attackers shifted their focus to DMM. By late May 2024, they manipulated a legitimate transaction request made by a DMM employee. This manipulation resulted in the unauthorized transfer of 4,502.9 BTC, valued at $308 million at the time, to wallets controlled by the threat actors.
The stolen funds have since been traced to cryptocurrency wallets under the control of TraderTraitor operatives. In response, the FBI, NPA, and their international partners have pledged to expose and counter North Korea’s use of illicit cyber activities.
“The FBI, National Police Agency of Japan, and other U.S. government and international partners will continue to expose and combat North Korea’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime,” the statement emphasized.