More than $300 million in losses! Analysis of 4502.9 $BTC abnormal outflow on DMM Bitcoin exchange

On May 31, according to the Beosin Alert security risk monitoring and alert platform, DMM Bitcoin exchange, a subsidiary of DMM.com, Japanese securities company, experienced a huge unauthorized outflow of Bitcoin, with an outflow amount of about 48 billion yen (about $300 million).

DMM Bitcoin subsequently issued an announcement that the details and causes of the loss are still under investigation, and DMM Bitcoin exchange has restricted new user account opening and crypto asset withdrawal, stopped spot trading orders, suspended leveraged trading orders and other services.

Regarding this security incident, Beosin first conducted an analysis of the potential vulnerabilities and the flow of the stolen funds.

Vulnerability analysis

The Beosin security team conducted a comprehensive review of the withdrawal process of the DMM Bitcoin exchange: The DMM Bitcoin Exchange physically isolated and managed the crypto assets held by customers, of which more than 95% of the customer assets are stored in cold wallets.

When crypto assets need to be transferred from a cold wallet to a hot wallet, DMM Bitcoin exchange conducts the transfer by a two-person team and requires the approval of multiple departments, including directors. Once the transfer is completed, the details of the asset transfer need to be shared within the company.

According to the analysis of Beosin security experts, there are two possible attacks in this security incident:

1. Traditional exchange attack. The signature service of the DMM Bitcoin exchange was attacked, or the multi-signature private key was leaked, and the attacker completed the transfer of assets. And the attackers used similar historical transfer addresses to receive funds in order to avoid exchange insiders noticing the anomaly.

2. Fake address scams. The relevant wallet personnel in the DMM Bitcoin exchange only checked the first 5 digits and the last 2 digits of the address during the transfer, and did not do a careful full address check, resulting in the transfer to the hacker address.

As the cause of the attack is still under internal investigation, DMM Bitcoin exchange has not disclosed more details of the incident, and the exact cause and process of the attack have not yet been determined. The Beosin security team will closely monitor the incident and make a full analysis of the cause of the incident when more information becomes available.

Flow of stolen funds

According to Beosin Trace, the 4502.9 BTC stolen so far has been dispersed by the attackers to 10 new addresses. Beosin Trace has marked the address as the address of the DMM Bitcoin Hacker and will continuously monitor the flow of the stolen funds.

At present, the underlying address database of Beosin Trace contains billions of address tags and 60 million black addresses, supporting 17 blockchains, asset tracing of more than 6 million token types, and the analysis of more than 60 cross-chain bridging protocols. When attackers disperse stolen funds, attempt to launder funds through cross-chain bridge protocols, or exchange them for other tokens, Beosin Trace analyzes the flow of funds accurately and in real time, visualizes the fund link, locates the deposit address, and assists law enforcement agencies in recovering stolen assets.

The attack address of this incident:

1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P

Fund storage address:

bc1qx6jpnnfjrfcx9ehhdmj7qqyzpyd8pek00trrq7

bc1qrtltlc7zjzj3knde2tqjt7tl2p5l2keh4l2uka

bc1qr4vnu4f4tl3gwfxt6a5hgt6vuusgsd0j2cnz74

bc1qgcv2j80009apvjekph40wagwutfu6l3gcm2fw0

bc1qegcazuxnp5wxxxamdqvjv345fpve6656vpjln4

bc1q7p3atj3v95k4pd7qxnnqlhjwu843ty2hqn9gy0

bc1q3ur23g02rq5w0x6y8vek3xradjgs080nzksfje

bc1q2u9m2eqy8glvrjeqr5sceqngpad6dnxrtyxlf3

bc1q2tu4dxyvnaquar96mj99yqjanfzgg3fv4gzytd

bc1q7pdecv2raf3x84unxlv9ghtpjfpwlam6dx27xd

Latest Update

According to DMM Bitcoin website, the funds deposited by DMM Bitcoin customers are managed separately by Japan Securities Trust Bank Ltd. With SBI Clearing Trust Co., Ltd.. Even if DMM Bitcoin goes bankrupt, customers' funds held in the trust will be protected.

At present, DMM Bitcoin has said that they will purchase BTC with the support of the group of companies to match the outflow volume, in order to guarantee 100% of the BTC assets held by customers.