Full Report
The biggest crypto heist of 2024 was conducted by seasoned cybercriminals working on behalf of North Korea’s government, according to the FBI.
Analysis Summary
# Threat Actor: TraderTraitor (Lazarus Group)
## Attribution & Identity
Attributed to North Korea’s government, frequently referred to by researchers as Lazarus or TraderTraitor.
## Activity Summary
The actor was responsible for the largest crypto heist of 2024, stealing $308 million in cryptocurrency (4,502.9 BTC) from the Japanese platform DMM in May 2024. The breach involved compromising a Japan-based cryptocurrency wallet software firm in late March 2024, which provided pivot access to DMM. The final theft occurred by manipulating a legitimate transaction request from a DMM employee.
Other historical, attributed activities include:
* $100 million hack of Atomic Wallet (June 2, 2023).
* $60 million theft from Alphapo (June 22, 2023).
* $37 million theft from CoinsPaid (June 22, 2023).
* $100 million hack of Harmony’s Horizon bridge (prior attribution).
* $600 million hack of Sky Mavis’ Ronin Bridge (prior attribution).
* Chainalysis figures indicate North Korean-linked groups stole $1.34 billion across 47 incidents in 2024 (as of the article date).
## Tactics, Techniques & Procedures
- Compromise of a third-party software vendor (a Japan-based cryptocurrency wallet software firm) to gain initial network access.
- Lateral movement/pivoting from the vendor to the primary target (DMM).
- Manipulation of legitimate employee transactions to authorize the fund transfer.
- Impersonation of developers or recruiters on platforms like GitHub, LinkedIn, Slack, and Telegram to target employees of blockchain/crypto organizations and their vendors.
## Targeting
- **Sectors:** Cryptocurrency and blockchain organizations; technology firms that serve the crypto sector (vendors).
- **Geography:** Japan (DMM, wallet software firm).
- **Victims:** DMM, Atomic Wallet, Alphapo, CoinsPaid, Harmony (Horizon Bridge), Sky Mavis (Ronin Bridge).
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but associated with the broader Lazarus/TraderTraitor operations.
- **Infrastructure (C2, domains, IPs):** Stolen funds were moved to TraderTraitor-controlled wallets. (No specific C2 domains or IPs were defanged in the text).
## Implications
The actor demonstrates high persistence and sophisticated supply chain compromise techniques against the cryptocurrency ecosystem, indicating robust state support for generating revenue through cybercrime. The scale of attacks continues to grow significantly year-over-year ($660.5 million stolen in 2023 vs. $1.34 billion in the first half of 2024). The DMM breach was severe enough to force the company to announce its closure and take out significant loans to cover the Bitcoin loss.
## Mitigations
- Increase security scrutiny and risk management evaluations of third-party vendors, especially those in the cryptocurrency software space.
- Implement strong security controls around critical financial transaction authorization processes to prevent insider manipulation, even when accessed via compromised credentials.
- Remain vigilant against social engineering and impersonation campaigns targeting developers and employees on professional and development collaboration platforms (GitHub, Slack, LinkedIn).