North Korean Hackers Steal 4500 Bitcoins from DMM Exchange in Sophisticated Social Engineering Attack

In a shocking turn of events, the Japanese cryptocurrency exchange DMM was hit by a major security breach in May 2024, resulting in the theft of 4500 bitcoins, valued at $349 million at the time. Despite the significant loss, DMM was able to secure 55 billion yen through its parent company's support and external financing to purchase the lost bitcoins, ensuring that no users suffered any financial loss.

The Federal Bureau of Investigation (FBI) has attributed this sophisticated cyber attack to a hacker group known as TraderTraitor, which is linked to North Korean hackers. Their primary objective is to launch attacks in the cryptocurrency domain to steal digital currencies.

The FBI's investigation reveals a more complex scenario than initially speculated by the tech community. It involved an intricate social engineering scheme that began in March 2024, when the hackers, posing as legitimate recruiters on LinkedIn, managed to engage an employee from the Japanese cryptocurrency wallet developer, Ginco.

The hackers offered the Ginco employee a job and requested to conduct a pre-employment test on GitHub, which allowed the employee to access Ginco's cryptocurrency wallet management system. The victim was then tricked into copying a malicious Python code snippet onto their personal GitHub page for testing, leading to the compromise of their computer and subsequently infiltrating Ginco's system and laterally spreading to DMM.

By mid-May 2024, the hackers used session cookie information to impersonate the infected employee, gaining access to Ginco's unencrypted communication system. By late May, they likely manipulated legitimate requests from DMM employees, possibly by changing the target wallet address to one controlled by the hackers, culminating in the theft of 4502.9 bitcoins.

This attack highlights the complex nature of social engineering attacks and the lengths to which hackers, particularly those associated with groups like UNC4899, Jade Sleet, and Slow Pisces, will go to infiltrate and exploit blockchain-related targets. Active since 2022, this group has been focusing on the blockchain sector through the use of fraudulent applications.