A North Korean hacking attack caused a massive Bitcoin loss for a Japanese firm. Authorities are working to expose nations and groups behind similar breaches.
Bitcoin

Bitcoin, a leading cryptocurrency (©Getty/Kyodo)

In May, approximately ¥48.2 billion JPY (approximately $306 million USD) worth of Bitcoin was unlawfully siphoned from DMM Bitcoin. The Tokyo entity is a cryptocurrency exchange under the major IT firm DMM.com. 

On December 24, the National Police Agency (NPA) reported that the North Korean-affiliated cyberattack group TraderTraitor was responsible for the attack. With the cooperation of the American Federal Bureau of Investigation (FBI), the Metropolitan Police Department and NPA carried out an investigation.

TraderTraitor's Phishing Tactics

According to the NPA, attackers from TraderTraitor posed as recruiters on the business-focused social networking site LinkedIn in late March. From there, they contacted an employee of Ginco (Tokyo), which manages the cryptocurrency wallet system for DMM Bitcoin.

They sent messages with URLs to entice the employee to click the link, which then infected the employee's computer with a virus.

After mid-May, the attackers exploited the employee's credentials to gain unauthorized access to the Ginco system. They modified the system, altering both the amounts and destinations of cryptocurrency transfers, leading to the theft.

Investigating the Theft

The stolen funds were eventually transferred to digital wallets controlled by TraderTraitor. Investigations confirmed that the accounts used to contact the employee and the connections for the malicious program were managed by TraderTraitor.

In response, the NPA, together with the National Center of Incident Readiness and Strategy for Cybersecurity, issued a public attribution statement directly naming North Korea and TraderTraitor and condemning both entities. The NPA also issued a warning, highlighting the rise in cryptocurrency thefts attributed to North Korea.

In the wake of the breach, DMM Bitcoin raised ¥55 billion with support from group companies to guarantee the full amount of the stolen funds to users. However, with continuing restrictions on services, the company announced its closure on December 2.

Advertisement

Naming the Culprits

Public attribution is an effort to publicly name countries or organizations suspected of involvement in cyberattacks. It aims to prevent further damage and deter future attacks. The United States was the first to carry out public attribution in 2014. Japan has done so previously in cases involving China and North Korea. This case was Japan's eighth instance.

RELATED:

(Read the article in Japanese.)

Author: The Sankei Shimbun

Leave a Reply