Japanese and US authorities have previously attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
“The theft is affiliated with the threatening activity of TraderTraitor, also tracked under the names Jade Sleet, UNC4899 and Slow Pisces,” the agencies said. said. “TraderTraitor activity is often characterized by targeted social engineering directed simultaneously at multiple employees of the same company.”
The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Ministry of Defense Cybercrime Center, and the National Police Agency of Japan. It should be noted that DMM Bitcoin stop its operations earlier this month following the hack.
TraderTraitor refers to a persistent threat activity group linked to North Korea that has a history of targeting businesses in the Web3 sector, tricking victims into downloading malware-laden cryptocurrency applications and ultimately facilitating theft. He is known to have been active since at least 2020.
In recent years, the hacking team has orchestrated a series of attacks involving employment-themed social engineering campaigns or targeting potential targets under the guise of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.
The group, however, is perhaps best known for infiltrating and gaining unauthorized access to JumpCloud’s systems to target a small set of downstream customers last year.
The attack chain documented by the FBI is no different in that the threat actors contacted an employee of a Japanese cryptocurrency wallet software company named Ginco in March 2024, posing as a recruiter and sending him a URL to a malicious Python script hosted on GitHub. as part of a so-called pre-employment test.
The victim, who had access to Ginco’s portfolio management system, was later compromised after copying the Python code to his personal GitHub page.
The adversary moved to the next phase of the attack in mid-May 2024 when it leveraged session cookie information to impersonate the compromised employee and managed to gain access to the non-commissioned communications system. encrypted by Ginco.
“In late May 2024, the actors likely used this access to manipulate a legitimate transaction request from a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the transaction. attack,” the agencies said. “The stolen funds were ultimately transferred to wallets controlled by TraderTraitor.”
The disclosure comes shortly after Chainalysis attributed the DMM Bitcoin hack to North Korean threat actors, saying the attackers were targeting infrastructure vulnerabilities to make unauthorized withdrawals.
“The attacker moved millions of dollars of crypto from DMM Bitcoin to multiple intermediary addresses before finally reaching a Bitcoin mixing service CoinJoin,” the blockchain intelligence firm said. said.
“After successfully mixing the stolen funds using the Bitcoin mixing service CoinJoin, the attackers transferred some of the funds through a number of bridging services, and finally to HuiOne Guarantee, an online marketplace linked to the conglomerate Cambodian HuiOne Group, which was previously exposed as a significant player in facilitating cybercrime.
The development also comes under the name AhnLab Security Intelligence Center (ASEC) revealed that the North Korean threat actor named Andariel, a sub-cluster of the Lazarus Group, is deploying the SmallTiger backdoor in attacks targeting South Korean asset management and document centralization solutions.
