The FBI and other agencies linked a group of North Korean threat actors, known as ‘Tradertraitor,’ to May 2023’s $308 million hack of DMM, a Japanese exchange. The hackers used social engineering to access internal communications and perpetrate the attack.
FBI Unveils Korean Connection in DMM Multi-Million Hack
The Federal Bureau of Investigation (FBI) in a joint investigation with the Department of Defense Cyber Crime Center and the National Police Agency of Japan, managed to unveil the involvement of a Korean element in the May hack of DMM, a Japanese cryptocurrency exchange.
The hack, which left a negative balance of over 4,000 BTC in DMM wallets valued at $308 million at the time, was the work of a Korean hacker group known as “Tradertraitor,” known for its peculiar approaches to these operations.
Read more: Over $300M in BTC Stolen From Japanese Exchange DMM Bitcoin in Major Security Breach
According to the FBI, an individual linked to this group contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet provider, offering a new job position. The Korean actor sent the victim an internet address for a pre-employment test as part of this proposal. The victim copied this to his personal Github account and compromised access to his system.
Exploiting this vulnerability, Korean actors impersonated the compromised employed using this access and managed to manipulate a legitimate transaction requested by a DMM employee, redirecting the funds to Tradertraitor-controlled wallets.
The aftermath of this heist proved fatal for the exchange currently being liquidated and expected to be purchased by SBI VC Trade, an exchange of the SBI Group.
FBI had profiled Tradertraitor’s modus operandi before, explaining its heavy usage of social engineering to access targeted companies and organizations. In April, a joint alert explained that the group was out targeting crypto-linked institutions, using messages directed to employees as a vector.
The advisory note stated:
The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as “TraderTraitor.”
