North Korean Hackers Linked to $305 Million DMM Bitcoin Heist, Authorities Confirm

The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center have identified North Korean-linked hackers as the orchestrators of a $305 million cyberattack on Japanese cryptocurrency exchange DMM Bitcoin in May 2024.

A joint statement issued on December 23 attributes the breach to the TraderTraitor threat group, also known as Jade Sleet, UNC4899, and Slow Pisces.

Hacker News explains that TraderTraitor, active since at least 2020, is known for targeting Web3 companies through malware-laced cryptocurrency apps.The group often employs job-themed social engineering campaigns or pretends to collaborate on GitHub projects to deploy malicious npm packages and facilitate theft.

The authorities revealed that the DMM Bitcoin breach originated from a social engineering attack on Ginco, a Japanese crypto wallet software company. In March, a North Korean operative posing as a LinkedIn recruiter shared a malicious Python script disguised as a pre-employment test with a Ginco employee.

When the employee copied the script to their personal GitHub account, it exposed sensitive session cookie data, enabling the hacker to impersonate the employee and infiltrate Ginco’s communication system.

By May, the threat actor used their access to manipulate a legitimate transaction request from a DMM Bitcoin employee, ultimately stealing 4,502.9 BTC, valued at $305 million.

Blockchain intelligence firm Chainalysis corroborated the findings, explaining how the attackers exploited infrastructure vulnerabilities to siphon funds.

They laundered the stolen cryptocurrency through intermediary addresses, a Bitcoin CoinJoin Mixing Service, and bridging services before transferring it to HuiOne Guarantee, an online marketplace linked to Cambodia’s HuiOne Group, a known facilitator of cybercrimes.

Finance Feeds reports that DMM Bitcoin has announced plans to cease operations, reaching an agreement with SBI VC Trade, the cryptocurrency division of Japanese financial giant SBI Group, to transfer its assets and customer accounts by March 2025.

Finance Feeds further notes that DMM Bitcoin clarified that while custodial assets are being transferred to SBI, leveraged trading positions will not be included. Customers must settle all open positions before the handover. The exchange confirmed it will shut down once the transfer is complete.

This disclosure underscores ongoing cybersecurity risks in the Web3 sector, with TraderTraitor remaining a persistent threat targeting the global cryptocurrency landscape.