The FBI said on Tuesday that a gang of North Korean-affiliated threat actors stole $308 million worth of cryptocurrency from a Japanese crypto company by masquerading as LinkedIn recruiters.
The FBI, along with the US Department of Defense Cyber Crime Center (DC3) and the National Police Agency of Japan publicly announced the massive crypto heist late Tuesday.
Authorities say hackers linked to the Democratic People's Republic of Korea wrested $308 million worth of crypto from the Japanese-based exchange DMM Bitcoin this past May.
The hack was so devastating that just three weeks ago, Bitcoin DMM, who was alleged to be revamping its operations after the heist, announced it would be ceasing operations and planned to liquidate all of its assets.
🇯🇵 LATEST: Japan crypto exchange DMM Bitcoin is set to liquidate
undefined Cointelegraph (@Cointelegraph) December 2, 2024
DMM Bitcoin, which suffered a private key hack in May that caused a loss of $320M in #Bitcoin, is ceasing efforts to revamp operations. pic.twitter.com/bQynPcxtzs
The theft itself was said to be affiliated with “TraderTraitor” threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces, the FBI said.
According to officials, TraderTraitor threat actors are known to target multiple employees at the same company in the same period of time using social engineering techniques, and this heist was no exception.
The crypto heist
It began in March 2024, when one of the hackers, posing as a recruiter on LinkedIn, contacted an employee at another Japan-based firm, Ginco, which is a crypto wallet software company.
“The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page,” the FBI said.
The targeted employee copied the Python code to their personal GitHub page and was subsequently compromised – and setting the stage for TraderTraitor to make their move.
The FBI and international partners are reporting a North Korean crypto theft from a Japan-based company. After an initial compromise with social engineering techniques, the cyber actors used TraderTraitor malware to steal cryptocurrency worth $308 million: https://t.co/8kRsTrTqK5 pic.twitter.com/RzSX4UPSgr
undefined FBI (@FBI) December 24, 2024
In mid-May, TraderTraitor hackers were able to gain access to Ginco’s unencrypted communications system, successfully impersonating the compromised employee by exploiting session cookie information.
By late May, the FBI said the same threat actors “likely used this access to manipulate a legitimate transaction request by a DMM employee” which resulted in the loss of 4,502.9 BTC, reportedly worth $308 million at the time of the attack. The stolen Bitcoin was eventually moved to TraderTraitor-controlled wallets.
It’s not the first time the cybercriminal outfit has been caught stealing crypto on behalf of the DPRK.
In August 2023, the FBI had identified TraderTraitor-affiliated threat actors as the same Pyongyang-backed gang of hackers known as the Lazarus Group.
Also known as Hidden Kobra or APT38, the FBI had put out a warning bulletin to cryptocurrency companies at the time that the group was getting ready to try and cash out about $40 million worth of stolen crypto on the dark markets.
Stolen monies generated by North Korean-backed illicit activities worldwide get funneled back to the regime to pay for its national weapons programs, including weapons of mass destruction (WMD).
Your email address will not be published. Required fields are markedmarked