DMM Bitcoin Hack — May 2024 Post-Mortem (Aggregated)
Overview
Hackers siphoned off over 4,502.9 bitcoin worth nearly $305 million at the time, making it one of the largest cryptocurrency heists in history. In late-May 2024, the actors used the access they had gained to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack.
Attribution to Lazarus Group
Japanese and U.S. authorities formally attributed the theft to North Korean cyber actors. The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces.
Attack Methodology
• The threat actors contacted an employee at a Japan-based cryptocurrency wallet software company named Ginco in March 2024, posing as a recruiter and sending them a URL to a malicious Python script.
• The victim, who had access to Ginco's wallet management system, was subsequently compromised after they copied the Python code to their personal GitHub page.
• The adversary exploited session cookie information to impersonate the compromised employee and gained access to Ginco's unencrypted communications system.
• They used this access to manipulate a legitimate transaction request by a DMM employee.
Fund Laundering
The hackers deposited the stolen Bitcoin to privacy mixers, withdrew that Bitcoin and bridged those funds to Ethereum or Avalanche via the cross-chain liquidity protocol THORChain. They reportedly laundered more than $35 million at Huione Guarantee, a Cambodian online marketplace.
Consequences
DMM Bitcoin shut down and transferred its accounts and assets to trading platform SBI VC Trade.