警方称朝鲜黑客从 DMM 交易所窃取了 3 亿美元的比特币

5 月份，价值约 482 亿日元（约合 3.06 亿美元）的比特币从 DMM Bitcoin 被非法挪用。

Around ¥48.2 billion JPY (approximately $306 million USD) in Bitcoin was unlawfully siphoned from DMM Bitcoin in May. The Tokyo entity is a cryptocurrency exchange that operates under the major IT firm DMM.com.

5 月份，约 482 亿日元（约合 3.06 亿美元）的比特币从 DMM 比特币中被非法挪用。东京实体是一家加密货币交易所，在大型 IT 公司 DMM.com 旗下运营。

On December 24, the National Police Agency (NPA) announced that the North Korean cyberattack group TraderTraitor was responsible for the attack. The investigation was carried out by the Metropolitan Police Department and NPA, in cooperation with the American Federal Bureau of Investigation (FBI).

12月24日，国家警察厅（NPA）宣布朝鲜网络攻击组织TraderTraitor对此次攻击负责。调查由伦敦警察厅和 NPA 与美国联邦调查局 (FBI) 合作进行。

TraderTraitor’s Phishing Tactics

TraderTraitor 的网络钓鱼策略

According to the NPA, attackers from TraderTraitor posed as recruiters on the business-focused social networking site LinkedIn in late March. They contacted an employee of Ginco (Tokyo), which manages the cryptocurrency wallet system for DMM Bitcoin.

据 NPA 称，来自 TraderTraitor 的攻击者于 3 月底在商业社交网站 LinkedIn 上冒充招聘人员。他们联系了 Ginco（东京）的一名员工，该公司管理 DMM 比特币的加密货币钱包系统。

The attackers sent messages with URLs, attempting to entice the employee to click the link. When clicked, the link infected the employee’s computer with a virus.

攻击者发送带有 URL 的消息，试图诱使员工单击该链接。单击后，该链接使该员工的计算机感染了病毒。

After mid-May, the attackers used the employee’s credentials to gain unauthorized access to the Ginco system. They were able to modify the system, altering both the amounts and destinations of cryptocurrency transfers, which resulted in the theft.

5 月中旬之后，攻击者利用该员工的凭据获得了对 Ginco 系统的未经授权的访问。他们能够修改系统，改变加密货币传输的金额和目的地，从而导致盗窃。

Investigating the Theft

调查盗窃案

The stolen funds were eventually transferred to digital wallets controlled by TraderTraitor. Investigations confirmed that the accounts used to contact the employee and the connections for the malicious program were both managed by TraderTraitor.

被盗资金最终被转移到 TraderTraitor 控制的数字钱包中。调查证实，用于联系该员工的帐户和恶意程序的连接均由 TraderTraitor 管理。

In response, the NPA, together with the National Center of Incident Readiness and Strategy for Cybersecurity, issued a public attribution statement directly naming North Korea and TraderTraitor and condemning both entities. The NPA also issued a warning, highlighting the rise in cryptocurrency thefts attributed to North Korea.

作为回应，NPA 与国家事件准备和网络安全战略中心一起发布了一份公开归因声明，直接点名朝鲜和 TraderTraitor 并谴责这两个实体。 NPA 还发出警告，强调朝鲜造成的加密货币盗窃案有所增加。

Following the breach, DMM Bitcoin raised ¥55 billion with support from group companies to guarantee the full amount of the stolen funds to users. However, the company announced its closure on December 2 due to continuing restrictions on services.

事件发生后，DMM Bitcoin 在集团公司的支持下筹集了 550 亿日元，以保证向用户全额返还被盗资金。然而，由于服务持续受到限制，该公司于 12 月 2 日宣布关闭。

Naming the Culprits

指认罪魁祸首

Public attribution is an effort to publicly name countries or organizations suspected of involvement in cyberattacks. It aims to prevent further damage and deter future attacks. The United States was the first to carry out public attribution in 2014. Japan has done so previously in cases involving China and North Korea. This case was Japan’s eighth instance.

公开归因是公开指名涉嫌参与网络攻击的国家或组织的努力。其目的是防止进一步的损害并阻止未来的攻击。美国于2014年率先进行了公开归因。日本此前曾在涉及中国和朝鲜的案件中这样做过。这是日本的第八起案件。