Inside the Attack
DMM Bitcoin, a Japanese centralized cryptocurrency exchange, was the target of a sophisticated hack in May 2024. This incident marked the eighth-largest crypto heist of all time and the most significant since December 2022.
Initial Detection
The hack was first identified when a large-scale transfer of 4,502.9 BTC, valued at over $308 million, was detected moving from one unknown Bitcoin wallet to another. Initially, the nature of this transfer was unclear — whether it was a whale moving assets or a security breach. However, the situation became more concerning when the stolen Bitcoin was distributed to multiple addresses, complicating efforts to track and recover the funds.
Magnitude of the Hack
This hack is particularly notable in the context of Japanese crypto history. It follows major incidents like the 2018 Coincheck hack, where over $530 million worth of XEM was stolen, and the infamous Mt. Gox collapse in 2014, which saw over 809,000 BTC stolen across multiple hacks.
Response from DMM Bitcoin
DMM Bitcoin quickly acknowledged the breach, confirming that the exchange had been hacked. The company took immediate steps to investigate the incident, prevent further unauthorized access, and reassure customers that their deposits were secure. As a precaution, certain services were temporarily frozen, including withdrawals and new account openings, to contain the damage and facilitate the investigation.
In response to the hack, DMM Bitcoin announced plans to secure funds for procuring the stolen bitcoin with financial support from its parent company, DMM Group. By June 3, the exchange had borrowed 5 billion yen ($32 million) and planned additional funding of 48 billion yen ($307.6 million) by June 7, followed by 2 billion yen ($12.8 million) on June 10, totalling $352.4 million. DMM Bitcoin aims to replace the stolen bitcoin without impacting the market and continues to investigate the incident, apologizing for the inconvenience caused to its customers.
Reason for the Hack
Despite these efforts, DMM Bitcoin did not provide detailed information about the root cause of the hack. Several potential vulnerabilities could have been exploited by the attackers, including:
-
Exposed Private Keys: Private keys are crucial for securing blockchain accounts. If a hot wallet's key was compromised, either through an insider threat or external breach, attackers could easily transfer funds to their wallets.
As one can see from the attack transaction, multisig 2 of 3 was used in this case, so the hacker needed to compromise 2 private keys. This happens but is quite rare or the signature service of DMM Bitcoin can be hacked.
The attack transaction: https://mempool.space/tx/975ec405ac9dc9fa5ab8009d94d6a1fe31dff8a8127ea90d023104e52754e4d7
Anyway, there were other funds on that DMM address after the attack transaction and they were not moved to the hacker's wallet. At the same time, as we can see in Chainalysis Reactor they were later transferred to the addresses that belong to DMM Bitcoin as one can see here https://mempool.space/address/3P8MfdM4pULv7ozdQvfwAqNF29zAjmnUYD -
Address Poisoning: By seeding a user’s transaction history with lookalike addresses, attackers could trick users into sending funds to the wrong address. In this case, users send funds to the latest address from the transaction history.
However, this method is less likely, because the hacker address was new and it didn't send any transactions before the attack transaction.
- Address Spoofing: Attackers might have tricked users into sending malicious transactions via social engineering or malware, circumventing the need for direct access to private keys.
Indeed the address of the hacker looks similar to one of the DMM addresses:
1B6rJ6ZKfZmkqMyBGe5KR27oWkEbQdNM7P - DMM Bitcoin hot wallet address (as we can see in Chainalysis Reactor)
1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P - Hacker's address
Address spoofing in crypto transactions is a scam where attackers trick users into sending funds to the attacker's address instead of the intended recipient's. This can occur through malware that monitors the clipboard for cryptocurrency addresses and replaces copied addresses with the attacker’s address. Or the hacker can get access to the internal system and replace the address in the corresponding document or database. This scam exploits partial address verification, where users only check the first and last few characters of the address, which the attacker matches to make their address appear legitimate. Consequently, users mistakenly send funds to the attacker's address, believing they have verified it correctly. - Insider Attack: There’s also the possibility of insider involvement, where someone with legitimate access to the system facilitates the transfer. Then the attacker used an address similar to the DMM Bitcoin hot wallet to receive funds and avoid detection and alert.
Ongoing Investigation and Bounty Program
Arkham Intel has launched a bounty program to help identify the perpetrators. The guidelines for the bounty include identifying a KYC (Know Your Customer) centralized exchange deposit, revealing the exploiter's identity, and successful recovery of the funds.
With the stolen Bitcoin transactions being closely monitored, blockchain forensics and the bounty program might lead to the hacker’s unmasking and potential recovery of the $304 million. However, the task is daunting, given the sophisticated measures typically employed to launder such significant sums.
Recommended Security Practices
The DMM Bitcoin hack underscores the critical need for robust security practices to protect high-value cryptocurrency accounts. Key security measures that can help prevent similar incidents include:
-
Employee Training: Ensuring that all employees are trained in the latest cybersecurity practices can help mitigate the risk of insider threats and social engineering attacks, which seems like the most possible vector of the attack.
- Regular Security Audits: Conducting frequent and thorough security audits can help identify and address vulnerabilities before they are exploited.
- Adopting Cybersecurity and Cryptocurrency Security Standards: Following global information security frameworks like NIST CSF 2.0 and SP 800-161 helps manage different security risks including supply chain like the signature service of DMM Bitcoin and improve overall security posture. Read more.
Additionally, implementing the Cryptocurrency Security Standard (CCSS) provides a framework specifically designed for securing cryptocurrency systems and exchanges, significantly enhancing the security of cryptocurrency operations. - Incident Response Plans: Developing and regularly updating incident response plans ensures that the organization can quickly and effectively respond to security breaches.
- Cryptocurrency Tracking and Investigation: Adding cryptocurrency tracking and investigation to the incident response plan can help trace stolen assets and mark addresses connected with illicit activities. For example, tools like Chainalysis Reactor can be instrumental in tracking and analyzing blockchain transactions to identify and recover stolen funds. Read more.
Notes from the CISO
Report, Report, and Report!
While the root cause of the DMM Bitcoin hack remains unclear, the current status of the stolen funds offers valuable insights. Shortly after the hack, many crypto investigation companies noted that the stolen BTC was divided among ten new crypto wallets and has remained there since. This transparency is a unique feature of blockchain technology, anyone can view these addresses and monitor future movements of the funds.
The global community is now watching to see how the hacker might attempt to launder the stolen Bitcoin. Typically, criminals use various services, such as mixers, to obfuscate the origin of their funds. However, today's advanced cryptocurrency investigation tools and techniques can often trace these funds even after they pass through mixing services.
Interestingly, the hacker has not yet begun moving the stolen BTC to launder them, likely due to the immediate reporting of the hack. Prompt reporting of crypto crimes can accelerate investigations and increase the chances of recovering stolen assets. At Gftd Japan, we emphasize the importance of swift reporting to our clients, as it significantly enhances the success rate of crypto investigations.
Blockchain investigations are powerful tools for recovering stolen funds and preventing future hacks. Knowing that their actions can be traced may deter potential hackers from attempting such crimes. Gftd Japan provides comprehensive crypto investigation services for victims of hacks and scams. If you need our assistance, please contact us and read more about our crypto investigations service.
Conclusion
The DMM Bitcoin hack serves as a stark reminder of the ongoing risks faced by cryptocurrency exchanges and the critical need for robust security measures. By implementing advanced security practices and continuously monitoring and improving their systems, exchanges can better protect their cryptocurrency and maintain the trust of their users. For organizations seeking to enhance their cybersecurity measures, consulting with experts like Gftd Japan can provide the necessary tools and strategies to safeguard digital assets effectively. We can also investigate crypto hacks and help recover stolen cryptocurrency. If your organization needs assistance in strengthening its cybersecurity framework, contact Gftd Japan. Book a call with us today to secure your digital assets.