Full Report
A joint US-Japan alert attributed North Korean hackers with a May 2024 crypto heist worth $308m from Japan-based company DMM
Analysis Summary
# Threat Actor: TraderTraitor (North Korea)
## Attribution & Identity
Attributed to North Korea by US and Japanese authorities (FBI, DoD Cyber Crime Center, National Police Agency of Japan).
**Known Aliases/Associated Groups:** Jade Sleet, UNC4899, Slow Pisces.
## Activity Summary
Attributed with a major cryptocurrency heist in May 2024, stealing 4,502.9 Bitcoin (valued at $308m at the time) from the Japan-based crypto firm DMM. This campaign began in late March 2024. This activity supports the broader trend of North Korean actors stealing cryptocurrency to fund the regime, with affiliated groups stealing $1.34bn across 47 incidents in 2024 alone.
## Tactics, Techniques & Procedures
- **Social Engineering:** Targeted an employee of Ginco (a crypto wallet software company) by masquerading as a recruiter on LinkedIn.
- **Malware Delivery:** Sent a URL leading to a malicious Python script hosted on a GitHub page, disguised as a pre-employment test.
- **Supply Chain/Compromise:** The victim copied the malicious Python code to their personal GitHub, leading to compromise.
- **Session Hijacking:** Exploited session cookie information gained from the initial compromise to impersonate the employee and gain unauthorized access to Ginco’s unencrypted communications system.
- **Transaction Manipulation:** Used gained access to manipulate a legitimate transaction request by a DMM employee, diverting funds to their own wallets.
## Targeting
- Sectors: Cryptocurrency/Financial Services (specifically targeting crypto wallet software companies and crypto firms).
- Geography: Japan (Victims identified: Ginco and DMM).
- Victims: Ginco (initial access vector via employee compromise) and DMM (the victim of the final theft).
## Tools & Infrastructure
- **Malware/Code:** Malicious Python script.
- **Infrastructure:** GitHub (used for hosting the malicious script); TraderTraitor-controlled wallets (used for receiving stolen funds).
## Implications
This operation highlights the increasing sophistication of North Korean threat actors in leveraging social engineering and supply chain-adjacent techniques to specifically target the cryptocurrency sector. The sheer volume of funds stolen ($308m exploit, $1.34bn total for 2024 claims) indicates that crypto theft remains a primary, high-value avenue for supporting the North Korean regime's funding.
## Mitigations
- Enhanced vetting of links/attachments provided through social engineering platforms like LinkedIn, especially when disguised as employment-related tasks (e.g., coding tests).
- Strict controls and segmentation around access to critical systems (like unencrypted communications systems and wallet management systems).
- Reviewing systems for session cookie management and access control following the execution of suspicious code, even if the initial execution was on personal infrastructure.