In May 2024, a cryptocurrency theft involving $308 million was linked to North Korean Hackers by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Police Agency (NPA) of Japan. The theft targeted DMM, a Japan-based cryptocurrency company, and was part of ongoing illicit activities by North Korean cyber actors, who have increasingly used cybercrime to generate revenue for the regime.
The cybercriminal group behind the attack has been tracked under various aliases, including TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. These actors are known for their use of targeted social engineering techniques to gain access to critical systems. In this particular case, the attackers compromised the DMM cryptocurrency wallet through a series of carefully planned actions that ultimately resulted in the theft of 4,502.9 Bitcoin (BTC), worth approximately $308 million at the time.
The Attack: Social Engineering and Malware Exploitation
The series of events leading up to the cryptocurrency theft began in late March 2024 when a North Korean cyber actor, posing as a recruiter, contacted an employee at Ginco, a Japan-based cryptocurrency wallet software company. This individual, who had access to Ginco’s wallet management system, was targeted with a malicious link disguised as a pre-employment test. The link led to a Python script hosted on GitHub.
Believing the communication to be legitimate, the employee copied the Python code to their personal GitHub page, unknowingly setting the stage for a security breach. The malware hidden within the Python script provided the attackers with a foothold into the employee’s system. Once the malware was activated, it compromised the employee’s account, allowing the attackers to harvest sensitive data.
North Korean Hackers Gained Access to DMM’s Systems
By mid-May 2024, the TraderTraitor cyber actors exploited the compromised employee’s session cookie information to impersonate the victim. This granted them access to Ginco’s unencrypted communications system, which contained critical information on transactions and company operations. The actors were able to use this access to manipulate an ongoing transaction request from DMM, ultimately redirecting the cryptocurrency funds into wallets controlled by the attackers.
The fraudulent transaction involved the theft of a large sum of Bitcoin—4,502.9 BTC—at the time valued at $308 million. The stolen funds were subsequently moved to wallets under the control of TraderTraitor, and their movement has been tracked by authorities, although the attackers continue to attempt to cover their tracks.
Ongoing Investigations and International Collaboration
The FBI, DC3, and NPA have emphasized that this incident is part of a larger pattern of illicit activities carried out by North Korean cyber actors. These actors have been known to engage in cybercrime, including cryptocurrency theft, to generate revenue that supports North Korea’s regime. The investigation into this theft is ongoing, with law enforcement and cybersecurity experts working across borders to trace the stolen funds and expose the full extent of the cyber actors’ activities.
The collaboration between U.S. and Japanese authorities, along with other international partners, plays a critical role in identifying and holding accountable those responsible for such large-scale thefts.
Impact on the Cryptocurrency Industry
While cryptocurrency transactions offer a degree of anonymity, the movement of large sums of money is still traceable, and authorities are able to track stolen funds across the blockchain. However, the challenge remains in recovering these funds and preventing further thefts.
As cybercriminals continue to refine their techniques, the need for enhanced cybersecurity measures and vigilant monitoring in the cryptocurrency industry becomes even more critical.
A Broader Campaign of Cybercrime
North Korean cyber actors, often linked to the Lazarus Group, have a history of engaging in cybercrime to fund state operations. The group has been attributed with several high-profile cyberattacks, including cyberattacks on financial institutions, cryptocurrency exchanges, and critical infrastructure. These activities are often part of a broader strategy to circumvent international sanctions and generate illicit revenue for the regime.
The attack on DMM is a prime example of how cybercriminals, backed by nation-states, can use advanced tactics like social engineering and malware to exploit vulnerabilities within organizations. In this case, the success of the attack was partly due to the ability of the cyber actors to manipulate an ongoing legitimate transaction, illustrating the risks posed to businesses operating in the financial and cryptocurrency sectors.
Continued Efforts to Combat Cybercrime
The FBI, DC3, NPA, and other international partners remain committed to investigating and exposing North Korea’s cyber activities. Their efforts focus on preventing future attacks, tracking stolen assets, and holding those responsible accountable. While this particular theft resulted in a significant financial loss, it also highlights the broader issue of cybercrime and the importance of continued international collaboration to combat these growing threats.
As investigations continue, law enforcement agencies are urging cryptocurrency companies and other financial institutions to strengthen their cybersecurity defenses and implement more robust measures to protect against social engineering and other malicious tactics. The DMM attack serves as a stark reminder of the evolving nature of cyber threats and the need for proactive security strategies in the ever-changing digital landscape.
The theft of $308 million from DMM by North Korean cyber actors is a significant reminder of the evolving threat landscape in the digital world. As investigations continue, authorities remain committed to exposing these illicit activities and preventing further attacks.
