The Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and Japan's National Police Agency (NPA) have jointly issued a warning regarding the theft of $308 million USD in cryptocurrency from Japan-based Bitcoin.DMM.com. The attack, carried out in May 2024, has been attributed to North Korean cyber actors operating under the threat group TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor’s tactics are marked by sophisticated social engineering techniques, often targeting multiple employees within the same organization.
Targeting Through Social Engineering
In late March 2024, a North Korean cyber actor posing as a recruiter on LinkedIn reached out to an employee of Ginco, a Japan-based cryptocurrency wallet software company. The threat actor sent a malicious Python script disguised as a pre-employment test via a GitHub link. Unaware of the threat, the victim copied the code to their personal GitHub repository, inadvertently allowing the actor to compromise their system.
Exploitation of Session Cookies
By mid-May 2024, the TraderTraitor actors leveraged session cookie data from the compromised employee to impersonate them and gain unauthorized access to Ginco’s unencrypted communication systems. This foothold allowed the attackers to intercept and manipulate legitimate transaction requests.
Execution of the Heist
In late May 2024, the attackers exploited their access to Ginco’s systems to manipulate a transaction request initiated by a DMM employee. The result was the transfer of 4,502.9 BTC—valued at $308 million at the time—to wallets controlled by TraderTraitor.
Attribution and Advisory
Authorities have confirmed that the stolen funds have been transferred to cryptocurrency wallets under TraderTraitor’s control. The group remains active, and organizations are urged to implement robust cybersecurity measures, especially against social engineering threats.
FBI Official Press Release: https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom
