North Korean Hackers Accused of Stealing Over 4,500 Bitcoins From Japanese Crypto Exchange
North Korean hackers linked to the notorious Lazarus Group have been identified as the culprits behind the theft of more than 4,500 bitcoins from DMM Bitcoin, a Japan-based cryptocurrency exchange. The stolen cryptocurrency, valued at approximately $308 million in May 2024, was reportedly funneled into wallets controlled by the North Korean government.
North Korean hackers linked to the notorious Lazarus Group have been identified as the culprits behind the theft of more than 4,500 bitcoins from DMM Bitcoin, a Japan-based cryptocurrency exchange. The stolen cryptocurrency, valued at approximately $308 million in May 2024, was reportedly funneled into wallets controlled by the North Korean government.
The incident, which has drawn the attention of global authorities, is now being investigated by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and Japan's National Police Agency (NPA). According to their findings, the cyberattack was executed by a subgroup known as TraderTraitor, which operates under the umbrella of Lazarus.
The initial breach reportedly began in March 2024, when a North Korean cyber actor posed as a recruiter on LinkedIn and approached an employee of Ginco, a company that develops enterprise cryptocurrency wallet software. Under the guise of a recruitment process, the hacker sent the employee a link to a GitHub page containing malicious Python code disguised as a pre-employment test. Once the employee copied the code to their personal GitHub repository, the hacker gained access to critical systems.
The attackers remained dormant for several weeks, carefully planning their next move. In May, TraderTraitor exploited the compromised access by leveraging session cookie data to impersonate the employee. This allowed them to infiltrate Ginco's unencrypted communication system. By manipulating a legitimate transaction request from a DMM Bitcoin employee, the hackers managed to divert 4,502.9 bitcoins to wallets under their control.
Subsequent investigations revealed that the stolen funds were traced back to entities linked to the North Korean government, reaffirming suspicions of state involvement.
In a statement, the FBI emphasized the broader implications of the attack, stating, "The FBI, Japan's National Police Agency, and other U.S. government and international partners will continue to expose and combat North Korea’s use of illicit activities — including cybercrime and cryptocurrency theft — to generate revenue for the regime."
This is not the first time Lazarus has been implicated in large-scale cryptocurrency heists. In 2022, the group was tied to the Ronin Network hack, which resulted in the theft of $615 million. More recently, in July 2024, they were linked to the theft of $234.9 million from WazirX, an India-based cryptocurrency exchange.
The DMM Bitcoin incident highlights the ongoing vulnerability of cryptocurrency platforms to sophisticated cyberattacks. As authorities intensify their efforts to combat such threats, the case underscores the urgent need for enhanced cybersecurity measures within the digital asset ecosystem. The collaboration between global agencies aims to deter future incidents and bring those responsible to justice.
