tl;dr
The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center confirmed that North Korean hackers used a sophisticated social engineering scheme, including a fake job offer on LinkedIn, to orchestrate a $305 million breach of the Japanese crypto exchange DMM Bitcoin in Ma...
North Korean-linked hackers orchestrated a $305 million breach of the Japanese crypto exchange DMM Bitcoin using sophisticated social engineering tactics.
The breach involved a well-coordinated social engineering scheme targeting employees of a Japanese crypto wallet software firm, facilitated through a recruiter contact on LinkedIn.
The incident has led to complications for DMM Bitcoin, which has announced plans to cease operations by March 2025.
The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center confirmed that North Korean hackers used a sophisticated social engineering scheme, including a fake job offer on LinkedIn, to orchestrate a $305 million breach of the Japanese crypto exchange DMM Bitcoin in May 2024. The hackers, identified as TraderTraitor threat actors, exploited human vulnerabilities to steal 4,502.9 BTC. This incident has led to DMM Bitcoin ceasing operations by March 2025, complicating users' asset transfers. The company plans to move all funds to SBI VC Trade, a subsidiary of Japan’s SBI Holdings.
The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center have confirmed that North Korean-linked hackers orchestrated the May 2024 $305 million breach of the Japanese crypto exchange DMM Bitcoin. A joint statement issued on Dec. 23 attributed the attack to TraderTraitor threat actors, also known as Jade Sleet, UNC4899, and Slow Pisces. These hackers often target their victims through sophisticated social engineering attacks designed to exploit human vulnerabilities. Independent investigations had linked the breach to the notorious Lazarus Group, another North Korean hacking syndicate infamous for large-scale crypto heists. Crypto investigator ZachXBT highlighted similarities between the laundering methods used in this attack and those tied to Lazarus, which previously masterminded the $600 million theft from Axie Infinity’s Ronin bridge. A Chainalysis report revealed that North Korean-backed hackers have stolen over $1.3 billion in 47 incidents this year alone.
According to the authorities’ statement, the DMM Bitcoin breach stemmed from a well-coordinated social engineering scheme targeting employees of Ginco, a Japanese crypto wallet software firm. In March, a North Korean operative posing as a recruiter on LinkedIn contacted a Ginco employee. The attacker shared a malicious Python script disguised as a pre-employment test hosted on a GitHub page. Unaware of the risk, the employee copied the script to their personal GitHub account, inadvertently granting the hacker access to sensitive session cookie data. This enabled the attacker to impersonate the compromised employee and infiltrate Ginco’s unencrypted communication system. By late May, the threat actor used this foothold to manipulate a legitimate transaction request from a DMM Bitcoin employee, ultimately stealing 4,502.9 BTC, valued at $305 million.
The incident compounded challenges for DMM Bitcoin, which recently announced plans to cease operations by March 2025. Since then, the exchange has halted withdrawals and spot trading activities, complicating users’ efforts to transfer their assets. However, the company intends to move all funds, including Japanese Yen and cryptocurrencies, to SBI VC Trade, a subsidiary of Japan’s financial giant SBI Holdings.