North Korean hackers were behind the $308 million hack of Japanese crypto exchange DMM in May, according to U.S. and Japanese law enforcement agencies. The FBI, along with the Department of Defense Cyber Crime Center and National Police Agency of Japan, identified the group responsible for the theft as TraderTraitor.
This incident is part of a larger trend of North Korean involvement in crypto crime, as highlighted in Chainalysis’ annual report. In 2024, North Korea was linked to more than half of the total crypto value stolen, amounting to $1.34 billion across 47 incidents. This represents a significant increase from the $660 million stolen in the previous year.
TraderTraitor, also known by aliases such as Jade Sleet, UNC4899, and Slow Pisces, is known for using targeted social engineering tactics. In the case of the DMM hack, the hackers inserted malicious code into a Python script disguised as a pre-employment test. The script was then sent to a candidate at an outside enterprise, Ginco, by a fake recruiter on LinkedIn.
The unwitting victim copied the code to their personal Github page, unknowingly providing TraderTraitor with access to session cookie information that allowed them to infiltrate Ginco’s communications system. Several months later, the hackers used this access to intercept a legitimate transaction request by a DMM employee, resulting in the theft of 4,502.9 bitcoin and ultimately leading to the exchange’s closure.
This sophisticated operation underscores the growing threat of cybercrime in the cryptocurrency space, particularly from state-sponsored actors like North Korea. As law enforcement agencies continue to investigate and combat these threats, it is crucial for exchanges and individuals to remain vigilant and implement robust security measures to protect against such attacks.