¥48.2 Billion Bitcoin Theft Linked to North Korean Hackers; Cyber Actor Masqueraded as Job Recruiter on LinkedIn Platform

Yomiuri Shimbun file photo
The National Police Agency in Tokyo

The North Korean hackers group TraderTraitor was involved in the May theft of bitcoins worth ¥48.2 billion from Japanese cryptocurrency exchange DMM Bitcoin, the National Police Agency and the U.S. Federal Bureau of Investigation announced Tuesday.

According to the announcement, a cyber actor masquerading as a headhunter approached an employee of DMM Bitcoin’s outsourcing partner and stole his access to the firm’s cryptocurrency transaction system.

TraderTraitor is believed to be part of the hacking outfit Lazarus, which belongs to North Korea’s Reconnaissance General Bureau. This is the first time that harm by the group was confirmed in Japan and the eighth time that the Japanese government has named the source of an attack, a practice called “public attribution.”

The Kanto Regional Police Bureau’s cybercrime special investigative team and the Metropolitan Police Department will continue to investigate the case on suspicion of violations of the Law on Prohibition of Unauthorized Computer Access.

According to the NPA, a member of TraderTraitor masqueraded as a corporate recruiter on the LinkedIn business-oriented social media site in late March. They contacted a employee of Ginco Inc., a Tokyo-based cryptocurrency wallet software firm that DMM Bitcoin had entrusted with managing its cryptocurrency trading.

The fraudulent recruiter allegedly told the employee, “We were impressed by your skills” and had him execute a program sent under the guise of a pre-employment test to check his skills. The employee was infected with a computer virus that compromised his privileges as a DMM Bitcoin employee.

TraderTraitor actors accessed Ginco’s cryptocurrency transaction system repeatedly from mid-May. They allegedly changed transaction amounts and remittance recipients in the system to steal ¥48.2 billion worth of bitcoins from DMM Bitcoin on May 31.

The stolen bitcoins were subsequently laundered, but some were eventually moved to a wallet that the FBI knew was controlled by TraderTraitor. In addition, the LinkedIn account used to contact the employee and the server connected to his device matched those acknowledged by U.S. authorities to have been linked to TraderTraitor.

The United Nations reported in March that North Korean cyberattacks on cryptocurrency-related companies between 2017 and 2023 were valued at $3 billion, which reportedly helped fund the country’s development of weapons of mass destruction.

The NPA, in conjunction with the National Center of Incident readiness and Strategy for Cybersecurity and the Financial Services Agency, released a joint document Tuesday to raise awareness. The document called for companies concerned to be aware of the hackers’ tactic of learning about their targets’ backgrounds and skills before making contact.

DMM Bitcoin announced this month that it would transfer its customers’ wallets to SBI Holdings Inc.’s cryptocurrency exchange unit from around next March and go out of business.