The FBI, DC3, and Japan's National Police Agency attributed the May 2024 theft of 4,502.9 BTC from DMM Bitcoin to North Korean TraderTraitor activity, also tracked as Jade Sleet, UNC4899, and Slow Pisces. The intrusion began when an actor posing as a recruiter on LinkedIn sent a Ginco employee a GitHub-hosted malicious Python script under the cover of a pre-employment test. After compromising the employee, the actors used session cookie data to impersonate the victim inside Ginco's communications system and manipulate a legitimate DMM transaction request, moving the stolen funds to TraderTraitor-controlled wallets.