FBI and Japan Attribute $308 Million DMM Bitcoin Heist to North Korean Hackers on Christmas Day

On December 25, 2024, as cryptocurrency markets celebrated Bitcoin trading above $99,000, a stark reminder of the industry’s security vulnerabilities emerged. The Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, and Japan’s National Police Agency jointly attributed the massive $308 million theft from Japanese cryptocurrency exchange DMM Bitcoin to North Korean state-sponsored threat actors tracked as TraderTraitor, also known as Lazarus Group and APT38.

The Exploit Mechanics

The attack chain that led to the DMM Bitcoin heist began months before the actual theft. According to the FBI’s press release, in March 2024, a North Korean threat actor posed as a legitimate LinkedIn recruiter and targeted an employee of Ginco, a Japan-based enterprise cryptocurrency wallet software company. The attacker sent the employee a malicious Python script disguised as a “pre-employment test.” Once the employee executed the script, the attackers gained initial access to Ginco’s internal systems.

By May 2024, TraderTraitor actors leveraged stolen session cookies to infiltrate Ginco’s infrastructure more deeply. This access enabled them to manipulate a legitimate DMM Bitcoin transaction, redirecting 4,502.9 BTC—worth approximately $308 million at the time—into wallets under their control. The theft was discovered on June 1, 2024, when DMM Bitcoin publicly announced the breach and immediately suspended several services including new account openings, cryptocurrency withdrawals, and leveraged trading.

Affected Systems

The primary target was DMM Bitcoin, one of Japan’s regulated cryptocurrency exchanges. However, the attack vector passed through Ginco, the wallet infrastructure provider. This supply-chain approach—compromising a service provider to reach the ultimate target—has become a hallmark of North Korean cryptocurrency theft operations. The FBI noted that TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.

In August 2023, the FBI had already shared details about six cryptocurrency wallets operated by TraderTraitor-affiliated actors. Those wallets held roughly 1,580 Bitcoin, approximately $41 million at the time, linked to various cryptocurrency heists. The pattern demonstrates a long-term, persistent campaign against cryptocurrency infrastructure with escalating sophistication and scale.

The Mitigation Strategy

Following the attribution announcement, security experts emphasized several critical defensive measures. First, cryptocurrency companies must implement robust social engineering training programs, particularly for employees who handle wallet infrastructure or have access to transaction signing systems. The LinkedIn recruiter persona used in this attack is a well-documented North Korean tactic that has been repeatedly flagged by intelligence agencies worldwide.

Second, session cookie management requires urgent attention. Organizations should enforce short-lived session tokens, implement IP-based session binding, and deploy anomaly detection systems that flag unusual access patterns from unfamiliar locations. Multi-factor authentication alone proved insufficient when attackers compromised session tokens directly.

Third, supply-chain security audits must extend to all third-party providers with access to critical infrastructure. The Ginco compromise illustrates how a vulnerability in a service provider can cascade into catastrophic losses for the primary target.

Lessons Learned

The DMM Bitcoin heist occurred during a month that otherwise showed remarkable security improvement across the cryptocurrency industry. December 2024 saw hack losses plummet to approximately $28.6 million according to CertiK, a dramatic 71% decrease from November’s figures. PeckShield independently confirmed $24.7 million in hack losses across more than 25 incidents. This context makes the DMM attribution particularly significant—even as the broader ecosystem strengthens, state-sponsored actors continue to pose outsized threats.

The attack also highlights the evolving nature of cryptocurrency threats in a market where Bitcoin has reached $99,299 and total market capitalization exceeds $3.5 trillion. As valuations increase, so does the incentive for sophisticated threat actors, particularly those backed by nation-states with established cybercrime programs. North Korean cryptocurrency theft operations have been linked to funding for the country’s nuclear weapons and ballistic missile programs.

User Action Required

For individual cryptocurrency users, the DMM Bitcoin incident underscores the importance of diversifying custodial risk. Users who hold significant crypto assets should consider distributing holdings across multiple reputable exchanges or, better yet, utilizing hardware wallets for long-term storage. Exchange users should enable all available security features including withdrawal whitelist restrictions, anti-phishing codes, and login notification alerts.

For industry professionals, the lesson is clear: supply-chain attacks targeting wallet infrastructure providers represent one of the highest-impact threat vectors in cryptocurrency security. Regular security assessments of all connected service providers, combined with employee awareness programs addressing social engineering tactics, are no longer optional—they are essential for survival in an ecosystem where a single compromised employee can lead to $308 million in losses.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment or security decisions.