Full Report
DMM Bitcoin said that it planned to transfer all customer accounts and company assets to the crypto firm SBI VC Trade after a hacking incident in May.
Analysis Summary
# Incident Report: Massive Bitcoin Theft and Subsequent Collapse of DMM Bitcoin
## Executive Summary
Hackers stole approximately 4,502.9 Bitcoin, valued at $308 million at the time, from the Japanese cryptocurrency platform DMM Bitcoin on May 31st. This massive loss forced the company to secure major loans and ultimately led the Financial Services Agency to identify severe systemic risk management failures. As a result of the sustained operational impact and inability to assure customer funds, DMM Bitcoin announced its plan to cease operations and transfer all customer assets to SBI VC Trade.
## Incident Details
- Discovery Date: May 31 (Implied, as the theft occurred on this date)
- Incident Date: May 31, 2024
- Affected Organization: DMM Bitcoin
- Sector: Cryptocurrency Exchange / Financial Services
- Geography: Japan
## Timeline of Events
### Initial Access
- Date/Time: May 31, 2024
- Vector: Undisclosed network intrusion or system vulnerability.
- Details: Hackers gained unauthorized access and siphoned 4,502.9 BTC.
### Lateral Movement
- Details: Stolen funds were quickly split and sent to at least 10 different wallets, indicating rapid internal asset dispersal.
### Data Exfiltration/Impact
- Impact: Loss of 4,502.9 BTC (valued at $308 million at the time, over $429 million by the report date). Withdrawals and purchase orders were restricted immediately following the incident.
### Detection & Response
- Detection: The unauthorized outflow of cryptocurrency was detected on May 31.
- Response actions taken: Withdrawals were restricted, massive loans (55 billion Yen / $\sim$367 million) were taken out in June to cover potential losses, and the Financial Services Agency (FSA) launched an investigation resulting in a business improvement order in September. Ultimately, the company decided to transfer all assets to SBI VC Trade and discontinue business operations by March 2025.
## Attack Methodology
- Initial Access: Undisclosed (Likely related to system vulnerability or operational failure).
- Persistence: Not explicitly detailed, but rapid exfiltration suggests exploiting an existing access method.
- Privilege Escalation: Not detailed.
- Defense Evasion: Funds were rapidly laundered, which may show preparatory evasion techniques.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Stolen funds were distributed across at least 10 different wallets immediately post-theft.
- Collection: Not detailed.
- Exfiltration: Bulk transfer of Bitcoin to external addresses.
- Impact: Direct financial loss totaling $308 million in 2024 BTC value.
## Impact Assessment
- Financial: Estimated loss of $308 million in cryptocurrency; company secured loans totaling $\sim$367 million USD to manage fallout; business is being discontinued.
- Data Breach: Not specified if customer data was accessed, focus was on asset theft.
- Operational: Sustained restriction of withdrawals and purchases since May 31st; business termination planned.
- Reputational: Significant damage, leading to the closure/acquisition of the platform.
## Indicators of Compromise
- Network indicators: Stolen funds were traced to over 10 initial receiving wallets, with some proceeds later laundered through the Cambodian site Huione Guarantee (defanged: `huione-guarantee[.]com` or similar).
- File indicators: None provided.
- Behavioral indicators: Rapid splitting and dispersal of a large volume of cryptocurrency immediately after the security event. Attribution points toward the Lazarus Group based on laundering patterns.
## Response Actions
- Containment measures: Withdrawals and purchase orders were immediately restricted following the theft.
- Eradication steps: The FSA investigation indicated fundamental failures in risk management, suggesting the need for a complete overhaul or replacement of the security infrastructure/leadership.
- Recovery actions: Decided to transfer all customer accounts and assets to SBI VC Trade rather than attempting to rebuild operations independently.
## Lessons Learned
- Critical failure in risk management: The FSA found "serious problems" regarding the system risk management structure.
- Lack of independence: Risk management, security, and development were consolidated under a small team, and necessary independent audits were not performed.
- Insufficient logging: The company failed to preserve necessary logs required for the regulatory investigation.
- Insufficient controls: Management practices regarding crypto asset transfers were "sloppy," failing to establish systems to prevent fraudulent outflows.
## Recommendations
- Implement robust, independent internal audit functions separate from operational and development silos.
- Ensure comprehensive logging and monitoring systems are in place and maintained according to regulatory standards to aid in post-incident forensics.
- Establish clear, segregated roles for security and risk management personnel, preventing consolidation of these critical functions within a small operational group.
- Review and enforce strict protocols for cryptocurrency transfers, especially for large volumes, ensuring multi-signature or other strong authorization steps are enforced.