Authorities from Japan and the United States have definitively linked the pilfering of $308 million in cryptocurrency from the exchange platform DMM Bitcoin in May 2024 to North Korean cyber operatives.
“This heist has been attributed to the TraderTraitor threat ensemble, alternatively known by aliases such as Jade Sleet, UNC4899, and Slow Pisces,” the agencies stated. “TraderTraitor campaigns are notorious for meticulously orchestrated social engineering strategies, targeting multiple employees of a single entity concurrently.”
This revelation was issued by the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and Japan’s National Police Agency. It is pertinent to note that DMM Bitcoin ceased operations earlier this month, succumbing to the repercussions of the breach.
TraderTraitor is a cyber adversary faction with established ties to North Korea, which has gained notoriety for infiltrating firms in the Web3 domain. This cluster is adept at ensnaring victims by promoting cryptocurrency applications laced with malicious software, enabling substantial theft. Their exploits have been chronicled since at least 2020.
In preceding years, the group orchestrated a myriad of incursions, leveraging employment-themed social engineering ploys. Their modus operandi often involves approaching targets under the guise of collaborative opportunities on GitHub projects, ultimately deploying malevolent npm packages.
This group is perhaps most infamous for its compromise of JumpCloud’s systems last year, where it surreptitiously gained access to a select subset of downstream clientele.
According to the FBI, the attack sequence targeting DMM Bitcoin bore similar hallmarks. In March 2024, an operative contacted an employee of Ginco, a Japan-based cryptocurrency wallet software enterprise. Posing as a recruiter, the actor provided a GitHub-hosted URL containing a booby-trapped Python script, purportedly part of a pre-employment assessment.
The targeted employee, possessing access to Ginco’s wallet management interface, inadvertently fell victim by uploading the script to their personal GitHub repository. By mid-May 2024, the attackers exploited session cookie data to impersonate the compromised individual, securing entry to Ginco’s unencrypted communication systems.
“In late May 2024, the perpetrators likely exploited their access to falsify a legitimate transaction initiated by a DMM employee, culminating in the misappropriation of 4,502.9 BTC—equivalent to $308 million at the time,” the agencies divulged. “The stolen cryptocurrency was subsequently funneled into wallets controlled by the TraderTraitor syndicate.”
The breach was corroborated by Chainalysis, which earlier associated the theft with North Korean actors. They disclosed that vulnerabilities within DMM Bitcoin’s infrastructure facilitated unauthorized withdrawals.
“The culprits relocated millions in crypto assets from DMM Bitcoin to intermediary addresses before utilizing a Bitcoin CoinJoin Mixing Service to obscure the trail,” the blockchain intelligence entity explained. “After obfuscation, a fraction of the funds traversed various bridging platforms, ultimately arriving at HuiOne Guarantee—a digital marketplace tied to Cambodia’s HuiOne Group, previously implicated in cybercriminal undertakings.”
This disclosure coincides with a report by the AhnLab Security Intelligence Center (ASEC), which highlighted that the North Korean subgroup Andariel—an offshoot of the Lazarus Group—is deploying the SmallTiger backdoor to target South Korean asset management firms and document centralization platforms.