[NEWS] DMM Bitcoin's illegal bitcoin leak identified as cyber attack by North Korea's Lazarus

On the 24th, the National Police Agency and the Financial Services Agency announced that the illegal leak of Bitcoin (BTC) from the domestic cryptocurrency (virtual currency) exchange DMM Bitcoin that occurred in May this year was identified as the work of TraderTraitor, a cyber attack group of the North Korean hacker group Lazarus Group.

According to the announcement, the crime was identified through an investigation by the National Police Agency, the FBI (Federal Bureau of Investigation) and DC3 (Defense Cybercrime Center).

In May this year, 4,502.9 BTC of Bitcoin, equivalent to approximately 48.2 billion yen at the exchange rate at the time, was illegally leaked from DMM Bitcoin. Since then, details of the incident have not been revealed as it is still under investigation, but more than half a year has passed since the incident occurred, and the method of the leak has been revealed.

According to the National Police Agency, in late March of this year, TradeTraitor posed as a recruiter through the business-focused SNS LinkedIn and contacted employees of Ginco, a cryptocurrency wallet company that DMM Bitcoin had entrusted with asset management. He then sent a URL to a malicious Python script disguised as a pre-employment test stored on GitHub to employees with access to Ginco's wallet management system. The victim Ginco employee appears to have copied the Python code to his own GitHub page, resulting in the breach.

The attackers then posed as recruiters and used session cookie information to impersonate the compromised employee, gaining access to Ginco's unencrypted communications system. The attackers are said to have used this to falsify legitimate transaction requests made by DMM Bitcoin employees.

In response to the incident, the National Police Agency said it would continue to work with the FBI and other U.S. government agencies and international partners to investigate cybercrime and illegal activities benefiting North Korea, including cryptocurrency theft.

Following this large-scale unauthorized leak, DMM Bitcoin decided to transfer customer assets to SBI VC Trade this month. The company plans to go out of business as soon as the asset transfer is completed.

There has long been speculation that the unauthorized leak of DMM Bitcoin was the work of a North Korean hacker group.

A report released on the 19th by Chainalysis, a US blockchain analysis company, analyzed that North Korean hackers were involved in the unauthorized leak of DMM Bitcoin, and that the funds were ultimately laundered in a Cambodian marketplace.

The National Police Agency, the National Center of Incident Readiness and Strategy for Cybersecurity, and the Financial Services Agency have issued documents on examples of this method and mitigation measures to cryptocurrency-related businesses, urging caution.

Reference: FSA announcement、National Police Agency announcement
Image: Shutterstock

Related articles

North Korean hackers to steal 200 billion yen worth of crypto assets in 2024; may also be involved in the unauthorized leak of DMM Bitcoin

DMM Bitcoin to go out of business, transfers customer assets to SBI VC Trade