North Korean hackers have been identified by US and Japanese authorities as the culprits behind a significant cryptocurrency heist totaling $308 million. The theft, which occurred in May 2024 at a Japan-based crypto firm DMM, was carried out by a North Korean threat group known as TraderTraitor, also referred to as Jade Sleet, UNC4899, and Slow Pisces.
According to a joint alert issued by the FBI, Department of Defense Cyber Crime Center, and National Police Agency of Japan, TraderTraitor executed a targeted social engineering attack to gain access to and steal the cryptocurrency funds. The attack began in late March 2024 when the hackers, posing as a recruiter on LinkedIn, contacted an employee at Ginco, a company that specializes in enterprise cryptocurrency wallet software. The targeted employee had access to Ginco’s wallet management system, making them a prime target for the hackers.
The threat actors sent the employee a URL that led to a malicious Python script disguised as a pre-employment test on a GitHub page. The employee unknowingly copied the code to their personal GitHub page, leading to their compromise. By mid-May 2024, the hackers exploited session cookie information to impersonate the compromised employee and gain entry into Ginco’s unencrypted communications system.
In late May 2024, the hackers likely used this access to manipulate a legitimate transaction request made by an employee at DMM, resulting in the loss of 4,502.9 Bitcoin, equivalent to $308 million at the time of the attack. The stolen funds were then transferred to wallets controlled by TraderTraitor.
This incident is part of a broader trend of North Korean-affiliated hackers engaging in cryptocurrency thefts to generate revenue for the regime in Pyongyang. A report by blockchain analytics firm Chainalysis revealed that North Korean hackers stole $1.34 billion worth of cryptocurrency across 47 incidents in 2024, accounting for 61% of the total amount stolen that year.
The FBI, National Police Agency of Japan, and other US government and international partners are committed to exposing and combating North Korea’s involvement in illicit activities, including cybercrime and cryptocurrency theft. These efforts aim to disrupt the flow of funds to the Pyongyang regime and hold the perpetrators accountable for their actions.
As the use of cryptocurrency continues to grow, authorities around the world are stepping up their efforts to prevent such incidents and ensure the security of digital assets. The case of the $308 million cryptocurrency heist attributed to North Korean hackers serves as a stark reminder of the evolving threats in the digital landscape and the importance of cybersecurity measures to protect against such attacks.