Japanese and U.S. authorities have previously attributed the theft of $308 million worth of cryptocurrency to cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
“The theft is linked to the TraderTraitor threat, which is also tracked as Jade Sleet, UNC4899 and Slow Pisces,” the agencies said. said. “TraderTraitor’s activities are often characterized by targeted social engineering targeting multiple employees of the same company at the same time.”
The warning comes courtesy of the US Federal Bureau of Investigation, the Defense Cybercrime Center and the Japanese National Police Service. It should be noted that DMM Bitcoin to stop its activities earlier this month.
TraderTraitor refers to a North Korea-linked persistent threat cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading cryptocurrency-laden malware and ultimately facilitating theft. It is known to be active since at least 2020.
In recent years, a team of hackers orchestrated a a series of attacks which use social engineering campaigns on the topic of work or approach potential targets under the guise of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.
The group, however, is possible the most famous for infiltrating and gaining unauthorized access to JumpCloud systems to target a small group of downstream customers last year.
The chain of attacks documented by the FBI is no different in that the threat actors contacted an employee of Japanese cryptocurrency wallet software company Ginco in March 2024, posing as a recruiter and sending them the URL of a malicious Python script posted on GitHub as part pre-employment test.
A victim who had access to the Ginco wallet management system was compromised after she copied the Python code to her personal GitHub page.
The adversary moved to the next phase of the attack in mid-May 2024, when it used information from session cookies to impersonate a compromised employee and successfully gained access to Ginco’s unencrypted communications system.
“In late May 2024, the subjects likely used this access to manipulate a legitimate DMM employee transaction request, resulting in the loss of 4,502.9 BTC worth $308 million at the time of the attack,” the agencies said. “The stolen funds ended up in wallets controlled by TraderTraitor.”
The disclosure comes shortly after Chainalysis attributed to DMM Bitcoin hack for North Korean threat actors, saying the attackers are targeting vulnerabilities in the infrastructure for unauthorized withdrawals.
“The attacker moved millions of dollars worth of crypto from DMM Bitcoin to multiple intermediary addresses before eventually reaching the Bitcoin mixing service CoinJoin,” the blockchain intelligence firm said. said.
“After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers moved some of the funds through a number of bridge services and finally to HuiOne Warrantyan online marketplace linked to the Cambodian conglomerate HuiOne Group, which was previously exposed as a major player in facilitating cybercrime.”
Development also comes in the form of the AhnLab Security and Intelligence Center (ASEC) revealed that a North Korean threat actor codenamed Andariel, a subcluster within the Lazarus group, is deploying Little tiger backdoor as part of attacks targeting South Korean asset management and document centralization solutions.
