In a significant cyber heist, North Korean cyber actors have stolen $308 million in cryptocurrency from the Japan-based exchange DMM. The theft, which occurred in May 2024, is linked to a group known as TraderTraitor, also identified as Jade Sleet, UNC4899, and Slow Pisces.

The FBI, the Department of Defense Cyber Crime Center (DC3), and Japan’s National Police Agency (NPA) are issuing a warning to raise public awareness. TraderTraitor is notorious for its targeted social engineering tactics, often aiming at multiple employees within the same organization.

The attack began in late March 2024 when a North Korean hacker, posing as a recruiter on LinkedIn, contacted an employee at Ginco, a company specializing in cryptocurrency wallet software. The hacker lured the employee by sending a link to a malicious Python script disguised as a pre-employment test hosted on GitHub.

Once the victim unwittingly uploaded the script to their personal GitHub page, their access to Ginco’s wallet management system was compromised. By mid-May, TraderTraitor actors exploited session cookies to impersonate the hacked employee. This breach enabled them to infiltrate Ginco’s unencrypted communications system.

By late May, the hackers manipulated a legitimate transaction request from a DMM employee, leading to the unauthorized transfer of 4,502.9 BTC. At the time of the theft, the funds were valued at $308 million. The stolen cryptocurrency was subsequently moved to wallets controlled by TraderTraitor.

Authorities are committed to exposing and combating North Korea’s cybercrime activities. They aim to disrupt the regime’s efforts to generate revenue through illicit means, including cryptocurrency theft.