US and Japanese authorities have identified North Korean hackers as the culprits behind a significant cryptocurrency heist totaling $308 million. The FBI, Department of Defense Cyber Crime Center, and National Police Agency of Japan issued an alert linking the May 2024 theft from Japan-based crypto firm DMM to a North Korean threat group known as TraderTraitor, also identified as Jade Sleet, UNC4899, and Slow Pisces.
According to the agencies, TraderTraitor executed a targeted social engineering attack to gain unauthorized access and steal the cryptocurrency funds. The attack commenced in late March 2024 when the threat actor, posing as a recruiter on LinkedIn, contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The employee was specifically targeted for their access to Ginco’s wallet management system.
The hacker sent the employee a URL leading to a malicious Python script disguised as a pre-employment test on a GitHub page. The victim unknowingly copied the Python code to their personal GitHub page, leading to their compromise. By mid-May 2024, the hackers leveraged session cookie information to impersonate the compromised employee and infiltrate Ginco’s unencrypted communications system.
In late May 2024, the attackers likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 Bitcoin worth $308 million at the time of the incident. The stolen funds were then transferred to TraderTraitor-controlled wallets, adding to the growing list of cryptocurrency thefts attributed to North Korean threat groups.
A recent report by blockchain analytics firm Chainalysis revealed that North Korea-affiliated hackers stole a staggering $1.34 billion in cryptocurrency across 47 incidents in 2024, representing 61% of the total amount stolen throughout the year. These illicit activities have become a significant source of revenue for the Pyongyang regime, funding various endeavors, including the country’s nuclear program.
In response to the escalating threat posed by North Korean cybercriminals, the FBI, National Police Agency of Japan, and other US government and international partners have committed to exposing and combating the regime’s use of illicit activities, particularly in the realms of cybercrime and cryptocurrency theft. The ongoing collaboration aims to enhance cybersecurity measures and prevent further financial losses due to malicious activities orchestrated by North Korean threat groups.
As the cryptocurrency industry continues to evolve, with digital assets becoming increasingly valuable, the need for robust cybersecurity practices and proactive threat detection mechanisms has never been more critical. Organizations and individuals operating in the crypto space must remain vigilant against sophisticated cyber threats like those orchestrated by North Korean hackers in order to safeguard their assets and preserve the integrity of the digital economy.