The Federal Bureau of Investigation, Department of Defense Cyber Crime Center, and National Police Agency of Japan have alerted the public to the theft of cryptocurrency worth $308 million from the Japan-based cryptocurrency company DMM by North Korean cyber actors in May 2024.
The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor activity is often characterised by targeted social engineering directed at multiple employees of the same company simultaneously.
In late March 2024, a North Korean cyber actor masquerading as a LinkedIn recruiter contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company.
The “threat actor” sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page. The victim copied the Python code to their personal GitHub page, which was subsequently compromised.
After mid-May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system.
In late May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack. The stolen funds ultimately moved to TraderTraitor-controlled wallets.
The FBI, the National Police Agency of Japan, and other U.S. government and international partners said they would continue to expose and combat North Korea’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime.
