North Korean hackers steal $308M in crypto posing as LinkedIn recruiters


The FBI said on Tuesday that a gang of North Korean-affiliated threat actors stole $308 million worth of cryptocurrency from a Japanese crypto company by masquerading as LinkedIn recruiters.

The FBI, along with the US Department of Defense Cyber Crime Center (DC3) and the National Police Agency of Japan publicly announced the massive crypto heist late Tuesday.

Authorities say hackers linked to the Democratic People's Republic of Korea wrested $308 million worth of crypto from the Japanese-based exchange DMM Bitcoin this past May.

ADVERTISEMENT

The hack was so devastating that just three weeks ago, Bitcoin DMM, who was alleged to be revamping its operations after the heist, announced it would be ceasing operations and planned to liquidate all of its assets.

The theft itself was said to be affiliated with “TraderTraitor” threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces, the FBI said.

According to officials, TraderTraitor threat actors are known to target multiple employees at the same company in the same period of time using social engineering techniques, and this heist was no exception.

The crypto heist

It began in March 2024, when one of the hackers, posing as a recruiter on LinkedIn, contacted an employee at another Japan-based firm, Ginco, which is a crypto wallet software company.

“The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page,” the FBI said.

ADVERTISEMENT

The targeted employee copied the Python code to their personal GitHub page and was subsequently compromised – and setting the stage for TraderTraitor to make their move.

In mid-May, TraderTraitor hackers were able to gain access to Ginco’s unencrypted communications system, successfully impersonating the compromised employee by exploiting session cookie information.

By late May, the FBI said the same threat actors “likely used this access to manipulate a legitimate transaction request by a DMM employee” which resulted in the loss of 4,502.9 BTC, reportedly worth $308 million at the time of the attack. The stolen Bitcoin was eventually moved to TraderTraitor-controlled wallets.

It’s not the first time the cybercriminal outfit has been caught stealing crypto on behalf of the DPRK.

In August 2023, the FBI had identified TraderTraitor-affiliated threat actors as the same Pyongyang-backed gang of hackers known as the Lazarus Group.

justinasv jurgita vilius Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

Also known as Hidden Kobra or APT38, the FBI had put out a warning bulletin to cryptocurrency companies at the time that the group was getting ready to try and cash out about $40 million worth of stolen crypto on the dark markets.

Stolen monies generated by North Korean-backed illicit activities worldwide get funneled back to the regime to pay for its national weapons programs, including weapons of mass destruction (WMD).

ADVERTISEMENT