North Korean hackers steal $308 million worth of Bitcoin from cryptocurrency company DMM Bitcoin

December 24, 2024Ravi LakshmananCybercrime/malware

Japanese and US authorities had previously attributed the theft of $308 million worth of cryptocurrency from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.

“The theft is linked to the TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces,” the agencies said. He said. “TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.”

This alert comes thanks to the US Federal Bureau of Investigation, the Cybercrime Center of the Ministry of Defense and the Japanese National Police Agency. It is worth noting that DMM Bitcoin Stop its operations Earlier this month.

TraderTraitor This term refers to a set of persistent threat activities linked to North Korea that have a history of targeting companies in the Web3 sector, luring victims into downloading malware-filled cryptocurrency applications and ultimately facilitating theft. It is known to be active since at least 2020.

In recent years, hacking crew Housekeeper A A series of attacks That leverage social engineering campaigns related to functionality or access to potential targets under the pretext of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.

However, perhaps the group is Most popular He was accused of infiltrating and gaining unauthorized access to JumpCloud’s systems to target a small group of end customers last year.

The attack chain documented by the FBI is not unlike the fact that threat actors contacted an employee at a Japan-based cryptocurrency wallet software company called Ginco in March 2024, posing as a recruiter and sending them a URL to the malicious Python script hosted on GitHub. As part of the supposed pre-employment testing.

The victim, who had access to Ginco’s wallet management system, was later hacked after he copied the Python code to his personal GitHub page.

The adversary moved to the next phase of the attack in mid-May 2024 when it exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system.

“In late May 2024, actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 bitcoins, worth $308 million at the time of the attack,” the agencies said. “The stolen funds were eventually transferred to wallets controlled by TraderTraitor.”

This revelation comes shortly after Chainalys’ analysis attributed DMM Bitcoin hack by North Korean threat actors, stating that attackers targeted infrastructure vulnerabilities to conduct unauthorized withdrawals.

“The attacker transferred millions of dollars worth of cryptocurrencies from DMM Bitcoin to multiple intermediary addresses before finally reaching the Bitcoin CoinJoin Mixing Service,” blockchain intelligence firm He said.

“After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers transferred part of the funds through a number of bridging services, and finally to… Hui Wen Guaranteean online marketplace linked to the Cambodian conglomerate HuiOne Group, which was previously exposed as a significant player in facilitating cybercrime.”

The development also comes as an AhnLab Security Intelligence Center (ASEC). open The North Korean threat actor codenamed Andariel, a subgroup within the Lazarus Group, is publishing… Little tiger Backdoor as part of attacks targeting South Korean asset management and document centralization solutions.