The US Federal Bureau of Investigation has confirmed that the North Korean hackers targeted a third-party wallet provider to orchestrate the $305 million breach of the Japanese crypto exchange DMM Bitcoin in May this year.

A joint statement issued by the FBI, US Department of Defense Cyber Crime Center, and National Police Agency of Japan has attributed the attack to TraderTraitor threat activity characterized by “targeted social engineering directed at multiple employees of the same company simultaneously.” TraderTraitor, also known as Jade Sleet, UNC4899, and Slow Pisces, is believed to be a part of the notorious Lazarus group.

According to the US and Japanese authorities, the breach at DMM Bitcoin was the result of a meticulously coordinated social engineering scheme aimed at employees of Ginco, a Japanese crypto wallet software company.

The threat actor posed as a recruiter on LinkedIn to a Ginco employee and inserted a malicious code into a Python script disguised as a pre-employment test.

“In late March 2024, a North Korean cyber actor, masquerading as a recruiter on LinkedIn, contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page. The victim copied the Python code to their personal GitHub page and was subsequently compromised,” the statement said.

Two months later, TraderTraitor impersonated the employee by exploiting acquired session cookies and gained unauthorized access to Ginco’s communications system. This breach enabled the hackers to manipulate a transaction request from a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack, said the investigators.

This development puts the spotlight on Liminal, a digital asset custody solutions provider, which found itself under scrutiny following the loss of $234 million in cryptocurrency on the Indian exchange and trading platform WazirX in July of this year.

According to a chargesheet filed by Delhi Police last month, Liminal had not provided any details regarding the WazirX hack incident, despite receiving several notices from the authorities. The Delhi Police had asked Liminal to share specific logs and data related to the crypto assets at the time of the hack. However, the chargesheet indicated that Liminal did not comply with these requests.