Tokyo, December 24, 2024 – Japanese and U.S. authorities have officially attributed a major cryptocurrency theft, amounting to $308 million, to North Korean hackers. The breach targeted DMM Bitcoin, a cryptocurrency firm, in May 2024, and has been linked to the North Korea-affiliated hacking group known as TraderTraitor, also referred to as Jade Sleet, UNC4899, and Slow Pisces1.
According to a joint statement from the FBI, the Department of Defense Cyber Crime Center, and Japan’s National Police Agency, the attackers used advanced social engineering tactics, focusing on multiple employees within the company to execute the heist. The theft has had significant consequences, prompting DMM Bitcoin to cease operations earlier this month1.
The TraderTraitor Threat
TraderTraitor is a North Korea-linked hacking collective known for targeting companies in the Web3 space. Active since at least 2020, the group employs malware-laced cryptocurrency apps and sophisticated phishing campaigns to infiltrate organizations and facilitate financial theft1.
Recent attacks have leveraged job-themed social engineering strategies, including posing as recruiters and engaging targets under the guise of professional collaboration. These tactics have enabled the deployment of malicious scripts and tools, ultimately leading to unauthorized access and theft1.
In a notable precursor to the DMM Bitcoin heist, the attackers contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, in March 2024. Disguised as a recruiter, the hackers provided the victim with a malicious Python script hosted on GitHub, claiming it was part of a pre-employment test1. After the victim unknowingly uploaded the code to their personal GitHub page, the attackers exploited this access to compromise Ginco’s wallet management system.
The Attack on DMM Bitcoin
The heist culminated in late May 2024 when the hackers manipulated a legitimate transaction request using access gained through the compromised Ginco employee. This allowed them to steal 4,502.9 Bitcoin, valued at $308 million at the time1. The stolen funds were transferred to wallets controlled by the TraderTraitor group.
Subsequent investigations revealed that the stolen cryptocurrency was moved through intermediary addresses, a Bitcoin CoinJoin mixing service, and eventually to HuiOne Guarantee, an online marketplace linked to the Cambodian conglomerate HuiOne Group, which has been implicated in cybercrime facilitation.
Broader Implications
The DMM Bitcoin breach is part of a broader trend of North Korean cybercrime targeting financial institutions and cryptocurrency platforms. Blockchain intelligence firm Chainalysis confirmed the involvement of North Korean actors, noting that vulnerabilities in the firm’s infrastructure were exploited to execute unauthorized withdrawals1.
Additionally, cybersecurity researchers have identified other North Korean sub-groups, such as Andariel—a cluster within the notorious Lazarus Group—deploying new tools like the SmallTiger backdoor to target South Korean organizations.
This incident underscores the increasing sophistication of North Korean cyber operations and the ongoing threat they pose to global financial systems.
