Analysis Summary

Authorities in Japan and the United States have already linked North Korean threat actors to the May 2024 theft of $308 million worth of cryptocurrencies from the company DMM Bitcoin. The heist is attributed to the threat behavior of TraderTraitor, which is also monitored under the names Slow Pisces, UNC4899, and Jade Sleet. Targeted social engineering that targets several employees of the same organization at once is a common characteristic of TraderTraitor behavior.

The National Police Agency of Japan, the Department of Defense Cyber Crime Center, and the U.S. Federal Bureau of Investigation are the sources of the notice. It is important to remember that earlier this month, DMM Bitcoin ceased operations. TraderTraitor is a persistent threat activity cluster associated with North Korea that has a history of targeting Web3 companies, tricking victims into downloading Bitcoin apps infected with malware and ultimately enabling theft. Since at least 2020, it has been known to be active.

The threat group has planned several attacks in recent years that use social engineering campaigns with a job theme or contact potential targets pretending to be working on a GitHub project, which results in the distribution of malicious npm packages. The group's most well-known activity, though, may have been breaking into JumpCloud's systems and using them to target a select group of downstream clients last year.

The FBI-documented attack chain is similar in that in March 2024, threat actors pretended to be recruiters and sent a URL to a malicious Python script hosted on GitHub to an employee of Ginco, a cryptocurrency wallet software company based in Japan, as part of a purported pre-employment test. After the victim downloaded the Python code to their personal GitHub page, they were able to gain access to Ginco's wallet management system and were later compromised.

In mid-May 2024, the attacker advanced to the next stage of the attack, effectively breaking into Ginco's unencrypted communications system by using session cookie information to assume the identity of the compromised employee. The actors most likely utilized this access to sway a DMM employee's valid transaction request in late May 2024, which led to the loss of 4,502.9 BTC, approximately $308 million at the time of the incident. In the end, the pilfered money went to wallets under TraderTraitor's control.

Impact

• Cryptocurrency Theft
• Financial Loss
• Code Execution
• Identity Theft

Remediation

• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.