Japanese exchange DMM hacked with 48.2 billion stolen BTC decrypted: North Korean Hacker involved, internal operations, and outsourcing contractor Ginco all have issues

In May 2024, the Japanese Virtual Money exchange DMM BTC suffered a major asset loss incident, and the cause of the loss was attributed to a North Korean-related hacker group. This incident highlights potential vulnerabilities in the internal system management and security checks of the Japanese exchange, and has triggered widespread industry follow on wallet management and transaction security.

(Licensed exchange DMM in Japan suffered a theft of 4,503 BTC, resulting in a loss of 48.2 billion yen)

Japanese police investigation: fake recruitment fraud, hackers cleverly infiltrate the system

Recently, the Japanese police revealed that hackers deceived a technical staff of DMM BTC's outsourced technical development company under the guise of a recruitment event. Using technical testing as an excuse, they successfully induced the technical staff to download a malicious program. This program was then used to infiltrate DMM's trading system, tamper with legitimate trading orders, and ultimately resulted in a large amount of encrypted assets being transferred to the attackers' wallet.

(FBI Reveals: North Korea Actively Invading the Cryptocurrency Industry, Social Engineering Targeting Employees of Coin Companies)

Where is the loophole in the DMM system?

This incident has focused attention on DMM's cold wallet management and transaction review process. According to analysis, DMM, as the ultimate asset manager, holds the private key required to transfer assets. However, the incident shows that attackers may have exploited communication vulnerabilities between the management device and the cold wallet terminal when tampering with transaction addresses. The key to the address tampering attack is that the address generated by the attacker is similar in format to a legitimate address, which prevents the employees responsible for transaction review from detecting any abnormalities.

The role of the outsourcer Ginco: outsourced system or potential hazard?

The DMM incident also involves Ginco, an outsourcing company that provides wallet systems. Ginco is mainly responsible for providing address management and transaction generation functions, but its internal system may become a point of entry for attackers. Some analysis believes that hackers may implant tampered transaction data through Ginco's management device, and then finalize the signature through DMM's cold wallet terminal. If DMM carefully compares the transaction content before and after signing, anomalies should be detected, but in reality, this step was overlooked.

North Korean hacker strategy + DMM potential vulnerability is breached!

This attack is believed to be a carefully planned operation by North Korean hackers. Although exchanges generally conduct regular asset transfers to ensure security, DMM exposed vulnerabilities in its system operation during the transfer, becoming the primary target of the attackers. Experts pointed out that the attackers may have chosen a time point with predictability and operability, and carried out a precise strike using DMM's operational habits.

Warning for the cryptocurrency industry: Internal and external defense are indispensable

The incident is seen as a serious warning to the entire cryptocurrency industry. Even though cold wallet environments are considered the safest way to manage assets, attackers can still exploit outsourcing management systems or internal audit vulnerabilities. Therefore, the industry must strengthen security checks at every link from transaction generation to final signature, and adhere to the principle of 'Don't trust, verify'.

In response to this incident, experts suggest that exchanges should strengthen training and security awareness education for employees, while gradually reviewing transactions through multi-factor authentication. In addition, strengthening the management and monitoring of outsourced partner companies is also essential. It is particularly important for other exchanges using the Ginco system to promptly conduct vulnerability scans and implement temporary defense measures.

This article Japan exchange DMM was stolen BTC 48.2 billion decrypt: North Korean hackers involved, internal operations, outsourcing Ginco all have problems. First appeared in Chain News ABMedia.