Hackers affiliated with the North Korean military masterminded the massive theft of bitcoins from a Tokyo-based company, investigations by Japanese and U.S. authorities found.
The TraderTraitor group stole bitcoins worth about 48.2 billion yen ($307 million) from crypto-asset exchange service provider DMM Bitcoin in May, the National Police Agency and the U.S. Federal Bureau of Investigation announced Dec. 24.
The announcement was made to serve as “public attribution,” a policy to identify and condemn cyberattackers and their state sponsor.
TraderTraitor is linked to the Reconnaissance General Bureau, an intelligence agency of the Korean People’s Army, NPA officials said.
The hackers are believed to be part of the Lazarus Group, which is said to have been involved in cyberattacks against Japan and other countries.
TraderTraitor broke into the system of Ginco Inc., which was commissioned to manage DMM Bitcoin’s crypto-assets transactions, through LinkedIn, a business networking social media platform.
The NPA and the National Center of Incident Readiness and Strategy for Cybersecurity, a government agency, called for caution against similar attacks.
According to the NPA, a TraderTraitor hacker contacted an employee of Ginco, a crypto-asset systems company in Tokyo, on LinkedIn in March, pretending to be a recruiter.
A message said the recruiter was impressed by the employee’s skills.
TraderTraitor sent a URL link disguised as a pre-employment test, which was embedded with malware, and hijacked the employee’s access authority to infiltrate the system.
The group tampered with DMM Bitcoin’s transaction data and stole the bitcoins on May 31.
Tokyo’s Metropolitan Police Department received a consultation from DMM Bitcoin, a group company of the online service provider DMM.com.
The MPD and the NPA’s national cybersecurity department traced the leaked crypto assets and found that some had been transferred to an account managed by the North Korean side.
The joint investigation also discovered that the computer server connected to the malware and the LinkedIn account used were operated by the North Korean side.
DMM Bitcoin raised funds from group companies and other sources and fully compensated customers for their losses.
But the company announced this month that it was going out of business after its crypto-assets transactions were restricted.
Thefts of crypto assets by North Korean cyberattacks have been carried out in the past.
In a report released in March, an expert panel of the U.N. Security Council said crypto assets worth about $3 billion were stolen between 2017 and 2023 in cyberattacks where North Korea’s involvement was suspected.
The panel said the funds have been used to finance the country’s nuclear and missile development programs.
U.S. authorities first discussed TraderTraitor’s activities in April 2022.
In August 2023, the FBI announced that the group was involved in three thefts of crypto assets worth a total of about $200 million.
