Background

On May 31, 2024, Japanese cryptocurrency trading platform DMM Bitcoin suffered the seventh largest cryptocurrency hacker attack in history. Its digital wallet was "accessed without authorization", resulting in the theft of 4,502 bitcoins (about 2 billion RMB). Preliminary analysis shows that this incident may be caused by the following three vulnerabilities: short address fraud, address replacement attack, and internal system attack.

BitJungle will use the Zhong Kui traceability system to conduct an in-depth analysis of this attack. The Zhong Kui traceability system can not only fully analyze every detail of the hacker attack, but also help you understand the real reasons behind the incident and prevent future security threats. For more details, please read on.

图片

Fund Flow Analysis

Hacker address 1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P


图片

The hacker address 1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P dispersedly transferred the stolen 4502 BTC to 10 new addresses, each receiving about 500 BTC, showing a high level of evasion tracking skills.

Event Analysis

1. Short address fraud

DMM Bitcoin transferred money to the address 1B6rJ6ZKfZmkqMyBGe5KR27oWkEbQdNM7P several times before being stolen. This address is the same as the hacker's address only in the first five digits, and the last two digits are the same. It is possible that DMM was deceived into copying a similar hacker address for transfers.

图片

2. Address replacement attack

The hacker address had no other transaction records before this incident. It is possible that the internal communication channels of DMM Bitcoin (such as Telegram) were attacked by hackers, and the normal transaction address was replaced with the hacker address, resulting in the theft of assets.


3. Internal systems are attacked

DMM company address 3P8MfdM4pULv7ozdQvfwAqNF29zAjmnUYD did not have any transfer records of more than 100 BTC before the theft. It may be that the internal system was attacked, the transaction content was replaced with a hacker transaction, and the risk control strategy was not triggered, resulting in the theft of assets.

Summarize

The DMM Bitcoin theft incident once again warns the industry that it needs to continue to strengthen security protection. Trading platforms must continuously optimize security strategies, improve technical protection capabilities, and strengthen user education and industry cooperation to cope with ever-changing security threats.

BitJungle will pay close attention to such security incidents. If necessary, please contact BitJungle, the official Twitter @bitjungle_team or the official email address bitjungle@163.com.

In order to prevent similar incidents from happening again, BitJungle proposes the following risk avoidance suggestions from a security perspective.

Enhanced security protection

Implement multi-signature technology to ensure that large transfers require approval from multiple administrators. Store most funds in offline cold wallets and reduce the amount of funds in hot wallets.


Improve employee training

Train employees regularly to raise awareness of risks such as phishing attacks and address substitutions, establish strict operating procedures to prevent asset losses due to human errors, and use blockchain analysis tools to track the flow of funds and respond quickly to security incidents.

Strengthen internal communication security

Use secure encrypted communication tools to prevent hackers from obtaining internal information through phishing attacks. Regularly review and update the security of internal communication tools to prevent information leakage.

Establishing an emergency response mechanism

A dedicated security team is formed to be ready to respond to unexpected security incidents at any time. When a security incident occurs, the relevant accounts are immediately frozen and the users are notified to reduce user losses.