Japan and the FBI name North Korea as the party that stole bitcoins from DMM, a summary of North Korea's cryptocurrency heists to date



On December 24, 2024, the National Police Agency, the FBI, and others announced that they had determined that the unauthorized leak of approximately 48.2 billion yen worth of Bitcoin that occurred in May 2024 from DMM Bitcoin, the DMM Group's virtual currency trading business, was the work of a North Korean cyber attack group called

TraderTraitor .

Cyber attacks by TraderTraitor, a cyber attack group backed by North Korea (Warning)
(PDF file) https://www.npa.go.jp/bureau/cyber/pdf/20241224_caution.pdf




FBI, DC3, and NPA Identification of North Korean Cyber Actors, Tracked as TraderTraitor, Responsible for Theft of $308 Million USD from Bitcoin.DMM.com — FBI
https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom

This incident began on May 31, 2024, when the unauthorized leakage of Bitcoin was detected from a DMM Bitcoin wallet. The total amount of Bitcoin confirmed to have been illegally leaked was 4,502.9 BTC (equivalent to approximately 48.2 billion yen), and on June 5, 2024, DMM revealed plans to raise approximately 55 billion yen to fully cover the amount of the illegally leaked Bitcoin. In August 2024, DMM Group Chairman Keiji Kameyama stated , 'We apologize for the great inconvenience caused to Bitcoin users,' and 'We will continue to disclose any information on the cause, etc. as soon as it becomes available.'

'DMM Bitcoin' announces that it will raise approximately 55 billion yen to guarantee the full amount of illegally leaked bitcoins - GIGAZINE



Subsequently, on September 26, 2024, the Kanto Regional Financial Bureau issued an administrative disposition to DMM Bitcoin, including an order to improve its business practices, pursuant to Article 63-16 of the Payment Services Act . This administrative disposition required DMM Bitcoin to analyze and clarify the specific facts and root causes of the unauthorized leakage of Bitcoin, respond to customers, and strengthen its system risk management system.

Since the unauthorized leak occurred, DMM Bitcoin has been restricting its services, such as screening new account openings, suspending virtual currency withdrawal processing, and suspending spot trading buy orders, but has announced that it will transfer customer accounts and assets under custody to SBI VC Trade on December 1, 2024. DMM Bitcoin also reported that it plans to discontinue its business after the transfer is completed around March 2025.

[IMPORTANT] Basic agreement regarding the transfer of accounts and assets held by SBI VC Trade - DMM Bitcoin (2024/12/02)
https://bitcoin.dmm.com/news/20241202_01



After that, the American analysis company Chainalysis published the results of its investigation that the unauthorized access to DMM Bitcoin was linked to a North Korean cyber attack group. When Chainalysis traced the stolen cryptocurrency, it was revealed that the group had been laundering the money by using a service called ' Mixer ' that anonymizes transaction history and then funneling it to the Cambodian online marketplace 'Huione Guarantee.'

On December 24, 2024, the National Police Agency, the Tokyo Metropolitan Police Department, the FBI, and others announced that TraderTraitor, a division of the North Korean government-affiliated cyber attack group Lazarus Group, was involved in the recent Bitcoin leak. It all started in March 2024, when TraderTraitor impersonated a recruiter on LinkedIn and contacted an employee of Ginco, who had been entrusted with managing DMM Bitcoin wallets. TraderTraitor sent the employee a URL to a malicious Python script disguised as a recruitment test and had the employee copy the code onto his own GitHub page.

Starting in May 2024, TraderTraitor misused session cookie information that controls access permissions, impersonating the relevant employees and illegally accessing Ginco's communications system. It then used this access to tamper with legitimate cryptocurrency transaction requests made by DMM Bitcoin employees and stole bitcoins. It then transferred the stolen bitcoins to a wallet managed by TraderTraitor.

The theft of virtual currencies through cyber attacks from North Korea has beensteadily increasing since 2017, and in December 2022, South Korea's intelligence agency, the National Intelligence Service, reported the results of an investigation stating that 'North Korean cyber attack groups stole 8,000 billion won (approximately 86 billion yen) of virtual currencies and other assets in 2022 alone, totaling 1.5 trillion won (approximately 162 billion yen) over the five years from 2017.'

In North Korea, the income generated by theft of virtual currencies is one of the main sources of income for the regime , and it has been pointed out that the stolen virtual currencies are being used for the development of ballistic missiles and weapons of mass destruction.

The terrifying reality that North Korea is funding its weapons development program through cyber-attacks and cryptocurrency heists - GIGAZINE



Additionally, cryptocurrency trading platform Hyperliquid reported on December 23, 2024 that addresses and signs of activity used by North Korean hackers to test potential security bugs had been found.




Security expert Taylor Monahan said, 'We found no signs of funds being leaked or misused by North Korea from Hyperliquid,' but some users have been flooding Hyperliquid with withdrawals due to concerns that North Korean hackers are active on the exchange. According to venture capital fund Hashed, $112 million (about 17 billion yen) worth of stablecoins and USDC were withdrawn from Hyperliquid on December 23, 2024 alone, and the price of Hyperliquid's own virtual currency, HYPE, has also been reported to have fallen by more than 20%.

Related Posts:

in Software,   Web Service,   Security, Posted by log1r_ut