Summary: Authorities have linked the theft of $308 million in cryptocurrency from DMM Bitcoin to North Korean cyber actors known as TraderTraitor. This group employs social engineering tactics to compromise employees and facilitate theft in the Web3 sector.
Threat Actor: North Korean cyber actors | TraderTraitor
Victim: DMM Bitcoin | DMM Bitcoin
Key Point :
- The TraderTraitor group has a history of targeting Web3 companies and using social engineering to deploy malware.
- In March 2024, they compromised an employee at Ginco, leading to unauthorized access to DMM Bitcoin’s systems.
- The attack resulted in the theft of 4,502.9 BTC, which was subsequently funneled through various wallets and mixing services.
- Chainalysis confirmed the attackers exploited infrastructure vulnerabilities for unauthorized withdrawals.
- North Korean sub-cluster Andariel is also active, deploying the SmallTiger backdoor in related attacks.
Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
“The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces,” the agencies said. “TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.”
The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan. It’s worth noting that DMM Bitcoin shut down its operations earlier this month in the aftermath of the hack.
TraderTraitor refers to a North Korea-linked persistent threat activity cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading malware-laced cryptocurrency apps and ultimately facilitating theft. It’s known to be active since at least 2020.
In recent years, the hacking crew has orchestrated a series of attacks that leverage job-themed social engineering campaigns or reaching out to prospective targets under the pretext of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.
The group, however, is perhaps best known for infiltrating and gaining unauthorized access to JumpCloud’s systems to target a small set of downstream customers last year.
The attack chain documented by the FBI is no different in that the threat actors contacted an employee at a Japan-based cryptocurrency wallet software company named Ginco in March 2024, posing as a recruiter and sending them a URL to a malicious Python script hosted on GitHub as part of a supposed pre-employment test.
The victim, who had access to Ginco’s wallet management system, was subsequently compromised after they copied the Python code to their personal GitHub page.
The adversary moved to the next-phase of the attack in mid-May 2024 when it exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system.
“In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agencies said. “The stolen funds ultimately moved to TraderTraitor-controlled wallets.”
The disclosure comes shortly after Chainalysis attributed the hack of DMM Bitcoin to North Korean threat actors, stating the attackers targeted vulnerabilities in infrastructure to make unauthorized withdrawals.
“The attacker moved millions of dollars’ worth of crypto from DMM Bitcoin to several intermediary addresses before eventually reaching a Bitcoin CoinJoin Mixing Service,” the blockchain intelligence firm said.
“After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers moved a portion of the funds through a number of bridging services, and finally to HuiOne Guarantee, an online marketplace tied to the Cambodian conglomerate, HuiOne Group, which was previously exposed as a significant player in facilitating cybercrimes.”
The development also comes as the AhnLab Security Intelligence Center (ASEC) revealed that the North Korean threat actor codenamed Andariel, a sub-cluster within the Lazarus Group, is deploying the SmallTiger backdoor as part of attacks targeting South Korean asset management and document centralization solutions.
Source: https://thehackernews.com/2024/12/north-korean-hackers-pull-off-308m.html