In May 2024, the Japanese virtual currency exchange DMM encountered a significant asset loss incident, with the cause of the loss attributed to a North Korean-related hacker organization. This incident reveals potential vulnerabilities in the internal system management and security checks of Japanese exchanges and has triggered widespread attention in the industry regarding wallet management and transaction security.
(Japanese licensed exchange DMM was hacked for 4,503 bitcoins, resulting in a loss of 48.2 billion yen)
Japanese police investigation: Fake recruitment fraud, hackers cleverly infiltrate the system
Recently, Japanese police revealed that hackers deceived a technician from DMM's Bitcoin outsourcing technology development company by pretending to conduct a recruitment activity. Under the pretext of a technical test, they successfully lured the technician into downloading a malicious program. This program was subsequently used to infiltrate DMM's trading system, tampering with legitimate trading instructions, ultimately leading to the transfer of a large amount of cryptocurrency assets to the attackers' wallet.
(FBI reveals: North Korea actively invades the cryptocurrency industry, social engineering targets employees of cryptocurrency companies)
Where exactly are the vulnerabilities in the DMM system?
This incident has drawn attention to DMM's cold wallet management and transaction review processes. According to relevant analyses, DMM, as the ultimate asset manager, holds the private keys necessary for asset transfer. However, the incident shows that attackers may have exploited communication vulnerabilities between the management device and the cold wallet terminal when tampering with transaction addresses. The key to the address tampering attack lies in the fact that the addresses generated by the attackers are similar in format to legitimate addresses, causing the staff responsible for transaction review to fail to detect the anomaly.
The role of the outsourcing company Ginco: Is the outsourced system a potential hidden danger?
The DMM incident also involves the outsourcing company Ginco that provides its wallet system. Ginco is primarily responsible for address management and transaction generation functions, but its internal system may become an entry point for attackers to invade. Some analyses suggest that hackers might have implanted tampered transaction data through Ginco's management device and then used DMM's cold wallet terminal for the final signature. If DMM had carefully compared the transaction content before and after signing, they should have detected the anomaly; however, this step was actually overlooked.
The strategy of North Korean hackers combined with DMM's potential weaknesses has broken the defenses!
This attack is believed to be a meticulously planned operation by North Korean hackers. Although exchanges generally conduct regular asset transfers to ensure security, DMM exposed operational vulnerabilities during the transfer period, becoming the primary target for attackers. Experts point out that the attackers may have chosen a predictable and actionable timing for their precise strike, exploiting DMM's operational habits.
A warning for the cryptocurrency industry: Both internal and external defenses are indispensable.
Comments suggest that this incident is a serious wake-up call for the entire cryptocurrency industry. Even though cold wallet environments are considered the safest asset management method, attackers can still implement attacks through outsourced management systems or internal audit vulnerabilities. Therefore, the industry must strengthen security checks at every stage from transaction generation to final signing and adhere to the principle of 'Don’t trust, verify.'
In response to this incident, experts suggest that exchanges should strengthen employee training and security awareness education, while also implementing multi-factor authentication measures for gradual transaction review. Additionally, enhancing the management and monitoring of outsourcing partner companies is also an essential measure. For other exchanges using the Ginco system, timely vulnerability assessments and temporary defense measures are particularly important.
This article reveals the theft of Bitcoin from the Japanese exchange DMM worth 48.2 billion: North Korean hackers involved, issues with internal operations and the outsourcing company Ginco. First appeared on Chain News ABMedia.
