North Korean hackers likely behind DMM Bitcoin’s $307m attack

Hackers affiliated with the North Korean regime were likely behind a $307 million attack on crypto exchange DMM Bitcoin, Japanese police announced Tuesday.

North Korean hackers are said to be behind a multi-million attack on a crypto exchange, costing the platform over $300 million in crypto in stolen funds.

The Federal Bureau of Investigation and the Japan National Police Agency revealed in a Dec. 23 press release that the attack, which occurred in May, was linked to North Korean cyber actors and the threat group also known as TraderTraitor. Jade Sleet, UNC4899 and Slow Fish.

According to authorities, the cyberattack began when a North Korean hacker posing as a recruiter at LinkedIn contacted an employee of Ginco, a Japanese company that provides crypto wallet software. The hacker tricked the employee into downloading a malicious Python script disguised as part of pre-employment testing. The employee unknowingly uploaded the script to his personal GitHub page, allowing the attacker to access sensitive company systems.

By mid-May, attackers used stolen session cookies to impersonate the compromised employee and infiltrated Ginco’s unencrypted communications system, leading to manipulation of a legitimate transaction request from DMM Bitcoin. Ultimately, this scheme allowed hackers to steal 4,502.9 (BTC), which was equivalent to $307 million at the time. The stolen cryptocurrency was then transferred to wallets controlled by the TraderTraitor group, the FBI said.

As crypto.news previously reported, the United States and South Korea have teamed up to create new mechanisms to prevent crypto thefts linked to North Korea. The two countries have reportedly signed an agreement to create joint technologies to stop crypto thefts. While details remain unclear, South Korea’s science ministry will also support the initiative until 2026.