Japanese and U.S. authorities have officially linked the theft of cryptocurrency worth $308 million from DMM Bitcoin in May 2024 to North Korean cyber actors. The agencies involved in the investigation, including the U.S. Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, and the National Police Agency of Japan, identified the theft as part of TraderTraitor threat activity, also known as Jade Sleet, UNC4899, and Slow Pisces. This activity is characterized by targeted social engineering tactics aimed at multiple employees of the same company simultaneously.
The alert issued by the authorities sheds light on the modus operandi of TraderTraitor, a North Korea-linked group known for its persistent attacks on companies in the Web3 sector. The group has a history of using social engineering tactics to deceive victims into downloading malware-infected cryptocurrency apps, leading to significant thefts. The group has been active since at least 2020 and has been responsible for orchestrating a series of attacks targeting various organizations.
One of the notable incidents involving TraderTraitor was the unauthorized access gained by infiltrating JumpCloud’s systems to target downstream customers. This incident highlighted the sophistication and efficacy of the group in carrying out malicious activities to achieve their objectives. The recent attack on DMM Bitcoin follows a similar pattern observed in previous incidents, where the threat actors employed social engineering tactics to compromise an employee at a Japan-based cryptocurrency wallet software company named Ginco.
The compromised employee, who had access to Ginco’s wallet management system, fell victim to a recruitment scam orchestrated by the attackers. They were tricked into downloading a malicious Python script disguised as a pre-employment test, leading to the compromise of their personal GitHub page. Subsequently, the attackers used the compromised employee’s credentials to gain unauthorized access to Ginco’s communications system, paving the way for the theft of 4,502.9 BTC, valued at $308 million at the time of the attack.
Chainalysis, a blockchain intelligence firm, corroborated the attribution of the hack to North Korean threat actors, emphasizing the unauthorized withdrawals made possible by exploiting vulnerabilities in the infrastructure. The stolen funds were traced to intermediary addresses before being mixed using a Bitcoin CoinJoin Mixing Service. The attackers then utilized a series of bridging services to eventually move the funds to HuiOne Guarantee, an online marketplace associated with the Cambodian conglomerate, HuiOne Group, known for its involvement in facilitating cybercrimes.
The revelation of North Korean threat actors deploying the SmallTiger backdoor as part of attacks targeting South Korean asset management and document centralization solutions by the AhnLab Security Intelligence Center (ASEC) underscores the persistent and evolving nature of cyber threats posed by these actors.
The incident involving the theft of cryptocurrency from DMM Bitcoin serves as a stark reminder of the ongoing cyber threats faced by organizations in the cryptocurrency sector. It underscores the need for increased vigilance and robust cybersecurity measures to mitigate the risk of falling victim to sophisticated attacks orchestrated by threat actors with malicious intent.