The latest investigation suggests that North Korean hackers, known as the TraderTraitor group, were behind the hack of Japanese cryptocurrency exchange DMM Bitcoin. The TraderTraitor hackers are said to have close ties to the infamous Lazarus group.
In May, the incident saw the exchange lose 4,502 bitcoins, worth $308 million.
The hack that caused DMM Bitcoin to shut down
The DMM Bitcoin exploit was one of the biggest cryptocurrency hacks of the year. The massive losses and failed recovery efforts eventually led to the exchange being shut down earlier this month.
Initially, the attack was linked to the notorious Lazarus Group, but US and Japanese officials now believe a more specialized North Korean group, called the TraderTraitor Group, was behind the attack.
According to the FBI, the hackers used advanced social engineering techniques to target Ginco, a Japanese cryptocurrency wallet company. In March, they posed as recruiters on LinkedIn and sent a malicious link disguised as a pre-employment test hosted on GitHub.
Unfortunately, a Ginco employee executed the code without his knowledge, which led to his GitHub account being hacked. The hackers then exploited the stolen information.
By May, they had posed as a Ginco employee to hack into Ginco’s communications systems. This allowed them to manipulate a legitimate transaction request from a DMM Bitcoin employee. As a result, the attackers transferred the stolen Bitcoin to wallets they controlled.
Despite efforts to compensate users with replacement Bitcoin, the financial impact proved insurmountable. Eventually, the company announced its closure and plans to transfer its accounts to SBIVC Trade by March 2025.
North Korea continues to be a persistent threat to the cryptocurrency industry.
At the same time, the attack highlights the ongoing threat from North Korean hacking groups. In 2024 alone, these groups were responsible for stealing $1.34 billion in cryptocurrency, accounting for two-thirds of all cryptocurrency thefts globally.
In July, the stolen money was laundered through Huione Guarantee, a company operating in Cambodia. According to Chainalysis, the Cambodian company handled an estimated $49 billion in pig slaughtering.
In December, Cambodia responded with a regulatory crackdown, blocking access to 16 cryptocurrency exchanges, including major ones like Binance, Coinbase, and OKX.
“Cryptocurrency enthusiasts should already know that Lazarus is one of the most aggressive threat actors targeting the industry,” wrote MetaMask security expert Taylor Monahan. “They’ve harmed more people, companies, and protocols than anyone else. But it’s good to know exactly how they get in. Because auditing another smart contract won’t save you.”
Overall, the DMM Bitcoin hack ranks as one of the largest cryptocurrency thefts in Japan, second only to the $530 million Coincheck hack in 2018.