Hand on keyboard showing North Korean hackers crypto heist

US and Japanese Authorities Link $308 Million DMM Bitcoin Crypto Heist to North Korean Hackers

Law enforcement and cyber authorities in the United States and Japan have attributed North Korean hackers to the DMM Bitcoin crypto heist worth about $308 million.

According to the Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and National Police Agency of Japan, the activity was consistent with DPRK’s TraderTraitor hackers, also tracked as Jade Sleet, UNC4899, and Slow Pisces.

Between late March and late May 2024, the attacker employed social engineering tactics to compromise a wallet managed by Ginco and manipulate a transaction request.

North Korean hackers impersonate a LinkedIn recruiter to pull off a crypto heist

In late March 2024, a North Korean actor impersonated a LinkedIn recruiter and contacted an employee of Ginco, a Japanese enterprise crypto wallet software company.

“The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page,” the FBI said.

The targeted employee believed the pre-employment test was legitimate and copied the Python code to their personal GitHub page, and was compromised.

In mid-May 2024, the attacker hijacked session cookies to impersonate the employee and access the company’s encrypted communication.

In late May 2024, they used this access to manipulate the employee’s transaction request, stealing 4,502.9 BTC and transferring it to TraderTraitor-controlled wallets.

The crypto heist has forced DMM Bitcoin to halt operations and transfer accounts to SBI VC Trade after restricting transactions for some time.

Crypto platforms targeted by North Korean hackers

The DMM crypto heist is hardly the first time North Korean hackers have targeted cryptocurrency platforms.

In 2022, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department issued a joint cybersecurity advisory warning that TraderTraitor was targeting crypto exchanges, decentralized finance (DeFi) protocols, cryptocurrency venture capital firms, crypto trading companies, play-to-earn crypto video games, and holders of a large amount of cryptocurrency and valuable non-fungible tokens (NFTs).

The North Korean hackers tricked victims into downloading trojanized Windows and MacOS cryptocurrency apps. The attackers leveraged the apps to access the victims’ computers, traverse the network, exploit other security holes, and steal private keys and tokens to compromise crypto wallets.

That cybersecurity advisory followed a similar one about North Korean hackers using AppleJeus malware to steal cryptocurrency in 30 countries.

The DMM crypto heist is one among many attributed to North Korean hackers. The FBI linked TraderTraitor-linked to Alphapo ($60 million), CoinsPaid ($37 million), and Atomic Wallet ($100 million) crypto breaches.

Western cyber and law enforcement authorities also linked North Korean hackers Lazarus group to Harmony’s Horizon and Sky Mavis’ Ronin crypto heists. TraderTraitor is part of the North Korean state-sponsored Lazarus hacking group.

Crypto heist is a lucrative business for the cash-strapped, heavily sanctioned North Korea and other unaffiliated threat actors. It remains one of the North Korean regime’s primary methods of funding its ballistic missiles and nuclear programs.

According to Chainalysis, crypto theft cost victims over $1 billion in 2024, marking a steady five-year year-over-year increase, with over $2.2 billion already stolen.

In 2024 alone, North Korean hackers stole over $1.34 billion after executing over 47 crypto heist incidents, accounting for 61% of cryptocurrency stolen throughout the year.