The Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and Japan’s National Police Agency (NPA) have identified North Korean cyber actors, tracked as TraderTraitor, as responsible for the theft of $308 million in cryptocurrency from DMM.com, a Japan-based crypto company, in May 2024.

TraderTraitor, also known as Jade Sleet, UNC4899, and Slow Pisces, is notorious for employing sophisticated social engineering tactics to target multiple employees of the same company. This heist marks another instance of North Korea’s alleged use of cybercrime to fund its regime.

In late March 2024, a North Korean cyber actor, posing as a recruiter on LinkedIn, targeted an employee at Ginco, a Japanese enterprise cryptocurrency wallet software provider. Under the guise of a pre-employment test, the threat actor sent the victim a URL linked to a malicious Python script hosted on GitHub.

The employee, unaware of the malicious intent, copied the script to their personal GitHub page, resulting in the compromise of their account. By mid-May 2024, TraderTraitor actors exploited session cookie data to impersonate the compromised employee and infiltrate Ginco’s unencrypted communications system.

By late May 2024, the attackers leveraged their access to Ginco’s systems to manipulate a legitimate transaction request from a DMM.com employee. This resulted in the unauthorized transfer of 4,502.9 Bitcoin, valued at $308 million at the time, to wallets controlled by TraderTraitor.

The stolen funds have since been traced to wallets controlled by the TraderTraitor group, which the FBI and other international partners continue to monitor.

The FBI, NPA, and U.S. government agencies are working closely with international partners to combat North Korea’s cybercrime activities, including cryptocurrency theft. In a joint statement, the agencies emphasized their commitment to exposing and disrupting North Korea’s use of illicit cyber activities to generate revenue for its regime.