FBI attributes largest crypto hack of 2024 to North Korea’s TraderTraitor

The biggest crypto heist of 2024 was conducted by seasoned cybercriminals working on behalf of North Korea’s government, according to the FBI.

On Tuesday, the agency partnered with the Defense Department and the National Police Agency of Japan to explain that $308 million in cryptocurrency stolen from Japanese platform DMM in May had been traced back to North Korean hackers known by many researchers as Lazarus or TraderTraitor.

In late March 2024, a North Korean cyber actor was able to compromise a Japan-based cryptocurrency wallet software firm and then used that access to pivot to DMM, U.S. and Japanese officials said. 

“In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agencies added. 

“The stolen funds ultimately moved to TraderTraitor-controlled wallets. The FBI, National Police Agency of Japan, and other U.S. government and international partners will continue to expose and combat North Korea’s use of illicit activities — including cybercrime and cryptocurrency theft — to generate revenue for the regime.”

The FBI previously said TraderTraitor was behind three headline-grabbing incidents in 2023 involving cryptocurrency companies: a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid.

The agency also attributed the $100 million hack of Harmony’s Horizon bridge and the $600 million hack of Sky Mavis’ Ronin Bridge to the same North Korean hackers.

Last year, Microsoft warned GitHub users of a near-identical TraderTraitor campaign where the personal accounts of employees of technology firms were being targeted. The GitHub alert said the group “mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.”

GitHub explained at the time that the attack chain started with the hackers impersonating a developer or recruiter by creating a fake personal account on GitHub and other social media platforms like LinkedIn, Slack and Telegram. 

Last week Chainalaysis said hacking groups connected to North Korea’s government stole $1.34 billion worth of cryptocurrency across 47 incidents in 2024. 

Those figures are significant increases after 2023 saw $660.50 million stolen in 20 attacks, according to the research firm. More than $1.7 billion was stolen by North Korea in 2022. 

The attack on DMM was the largest theft of the year according to blockchain analysts. The incident was so severe that it caused the company to announce its closure just two weeks ago. 

Due to price fluctuations, the cryptocurrency stolen from DMM is now worth more than $440 million. Following the attack, DMM Bitcoin was forced to take out massive loans to cover the lost bitcoin. In June, the company secured 55 billion yen in loans — about $367 million. 

Officials with Japan’s Financial Services Agency stepped in and conducted an investigation. They said in September that “serious problems were found with the Company’s system risk management system and response to the risk of crypto asset leakage.”

A Financial Services Agency spokesperson told Recorded Future News that it is still pressing DMM for answers about the incident, writing that the company’s initial report on what happened “did not clearly state the specific facts” and did not involve an analysis of the “root cause of the leak.”

They noted that they wanted the DMM situation to be an example for the future that “increases stability among other cryptocurrency exchange operators and prevents the occurrence of similar cases.”