North Korean Hackers Stole $300 Million in Bitcoin From DMM Exchange, Police Say

In May, approximately ¥48.2 billion JPY (approximately $306 million USD) worth of Bitcoin was unlawfully siphoned from DMM Bitcoin.

Around ¥48.2 billion JPY (approximately $306 million USD) in Bitcoin was unlawfully siphoned from DMM Bitcoin in May. The Tokyo entity is a cryptocurrency exchange that operates under the major IT firm DMM.com.

On December 24, the National Police Agency (NPA) announced that the North Korean cyberattack group TraderTraitor was responsible for the attack. The investigation was carried out by the Metropolitan Police Department and NPA, in cooperation with the American Federal Bureau of Investigation (FBI).

TraderTraitor’s Phishing Tactics

According to the NPA, attackers from TraderTraitor posed as recruiters on the business-focused social networking site LinkedIn in late March. They contacted an employee of Ginco (Tokyo), which manages the cryptocurrency wallet system for DMM Bitcoin.

The attackers sent messages with URLs, attempting to entice the employee to click the link. When clicked, the link infected the employee’s computer with a virus.

After mid-May, the attackers used the employee’s credentials to gain unauthorized access to the Ginco system. They were able to modify the system, altering both the amounts and destinations of cryptocurrency transfers, which resulted in the theft.

Investigating the Theft

The stolen funds were eventually transferred to digital wallets controlled by TraderTraitor. Investigations confirmed that the accounts used to contact the employee and the connections for the malicious program were both managed by TraderTraitor.

In response, the NPA, together with the National Center of Incident Readiness and Strategy for Cybersecurity, issued a public attribution statement directly naming North Korea and TraderTraitor and condemning both entities. The NPA also issued a warning, highlighting the rise in cryptocurrency thefts attributed to North Korea.

Following the breach, DMM Bitcoin raised ¥55 billion with support from group companies to guarantee the full amount of the stolen funds to users. However, the company announced its closure on December 2 due to continuing restrictions on services.

Naming the Culprits

Public attribution is an effort to publicly name countries or organizations suspected of involvement in cyberattacks. It aims to prevent further damage and deter future attacks. The United States was the first to carry out public attribution in 2014. Japan has done so previously in cases involving China and North Korea. This case was Japan’s eighth instance.