The Japanese crypto exchange DMM was robbed of $308 million in bitcoin earlier this year via a rogue recruiter on LinkedIn, the FBI and Japanese police report (pdf). An employee of Ginco, the company to which crypto exchange DMM had entrusted the wallet management system, was approached via LinkedIn by someone posing as a recruiter.
The “recruiter” approached the Ginco employee with the request if he wanted to take a test. The link for this “test” pointed to a rogue Python script hosted on GitHub. “The victim copied the Python code to his personal GitHub page and was subsequently compromised,” the FBI said. Using a stolen session cookie, the attackers then pretended to be the compromised employee and managed to gain access to Ginko’s communications system.
This access then modified a legitimate transaction request from crypto exchange DMM, leading to the theft of more than 4,500 bitcoin that was transferred to the attackers’ wallets, which amounted to $308 million at the time of the attack. The FBI and Japanese police say the attack was the work of a North Korea-affiliated group called TraderTraitor. Blockchain analysis company Chainalysis also recently paid attention to the attack on DMM.
In short:
| Summary Point | Details |
|---|---|
| Incident | DMM crypto exchange lost $308 million in bitcoin. |
| Method of Attack | A rogue recruiter on LinkedIn targeted an employee of Ginco, responsible for wallet management. |
| Compromise | Employee executed a malicious Python script, leading to system access for attackers. |
| Outcome | Attackers altered a transaction request, stealing over 4,500 bitcoin. |
| Attribution | The attack is linked to a North Korea-affiliated group named TraderTraitor. |
