The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center have confirmed that North Korean-linked hackers orchestrated the May 2024 $305 million breach of the Japanese crypto exchange DMM Bitcoin.
A joint statement issued on Dec. 23 attributed the attack to TraderTraitor threat actors, also known as Jade Sleet, UNC4899, and Slow Pisces. These hackers often target their victims through sophisticated social engineering attacks designed to exploit human vulnerabilities.
Independent investigations had linked the breach to the notorious Lazarus Group, another North Korean hacking syndicate infamous for large-scale crypto heists.
Crypto investigator ZachXBT highlighted similarities between the laundering methods used in this attack and those tied to Lazarus, which previously masterminded the $600 million theft from Axie Infinity’s Ronin bridge.
A Chainalysis report revealed that North Korean-backed hackers have stolen over $1.3 billion in 47 incidents this year alone.
Understanding the DMM Bitcoin hack
According to the authorities’ statement, the DMM Bitcoin breach stemmed from a well-coordinated social engineering scheme targeting employees of Ginco, a Japanese crypto wallet software firm.
In March, a North Korean operative posing as a recruiter on LinkedIn contacted a Ginco employee. The attacker shared a malicious Python script disguised as a pre-employment test hosted on a GitHub page.
Unaware of the risk, the employee copied the script to their personal GitHub account, inadvertently granting the hacker access to sensitive session cookie data. This enabled the attacker to impersonate the compromised employee and infiltrate Ginco’s unencrypted communication system.
By late May, the threat actor used this foothold to manipulate a legitimate transaction request from a DMM Bitcoin employee, ultimately stealing 4,502.9 BTC, valued at $305 million.
What next?
The incident compounded challenges for DMM Bitcoin, which recently announced plans to cease operations by March 2025.
Since then, the exchange has halted withdrawals and spot trading activities, complicating users’ efforts to transfer their assets.
However, the company intends to move all funds, including Japanese Yen and cryptocurrencies, to SBI VC Trade, a subsidiary of Japan’s financial giant SBI Holdings.