A Bitcoin leak incident occurred at DMM Bitcoin, a domestic cryptocurrency exchange. Let's think about the security of the exchange based on the summary of the incident and the response afterwards.
◉ Masashi Ito
38 years old, freelance writer. Specializes in the latest technology, mainly Web 3.0. Although he has never been hacked into cryptocurrency, he has lost cryptocurrency due to mistaken transfers.
◉ Kou Ishikawa
43 years old, company manager. Works as a consultant, mainly dealing with security measures and security incidents. Although it is always better to take security measures, no one can prevent 100% of security incidents, so he believes that the most important thing is to respond after the fact.
Ito: In May, there was an incident where Bitcoin was leaked from DMM Bitcoin, one of Japan's cryptocurrency exchanges. In this article, we will talk about the summary of the incident, the response of the exchange, and the security issues of cryptocurrency.
Ishikawa: Let's look back at the summary of this incident based on the official announcement by DMM Bitcoin. First of all, the incident occurred on May 31, 2024. It was revealed that 4,502.9 BTC, equivalent to about 48.2 billion yen in Japanese yen, had been illegally leaked from DMM Bitcoin's wallet.
Ito: A wallet is software for managing crypto assets. In other words, the bitcoins held by DMM Bitcoin were leaked to the outside for some reason.
Ishikawa: This amount of damage is the seventh largest among all crypto asset-related hacking and illegal leaking incidents to date.
Ito: The damage from the Coincheck NEM leak incident in 2018 was about 58 billion yen. The damage from the hacking incident at the Mt. Gox exchange in 2011 was about 48 billion yen, so this is the second or third largest damage in Japan.
Ishikawa: After this incident occurred, DMM Bitcoin immediately announced that a damage had occurred. Also, on the day of the incident, they announced, "Please rest assured that we will procure the equivalent of the amount of Bitcoin (BTC) that was leaked with support from our group companies and fully guarantee the entire amount of Bitcoin (BTC) that customers have deposited. "
Ito: That was a very swift response.
Ishikawa: In the past, when cryptocurrency hacking incidents occurred, anxiety spread among users and the cryptocurrency market, and there have been many cases where cryptocurrency prices plummeted. This was a move that prevented that from happening quickly. After that, we secured compensation funds by borrowing from group companies and increasing capital in June.
Ito: Did it have any impact on the Bitcoin price?
Ishikawa: It seems fair to say that it had almost no impact. After the leak was discovered, the price fell by hundreds of thousands of yen, but it rose again five days after the incident. The Bitcoin price is already around 10 million yen, and fluctuations of hundreds of thousands of yen are commonplace, so it cannot be said that the incident caused the crash. It has already been about a month and a half since the incident, but there is still no indication that the incident caused the crash. After the Cointick hack, the price of Bitcoin fell by about 35% in the 10 days following the incident. In comparison, there was almost no impact this time.
Ito: Why was there almost no impact on the price?
Ishikawa: First of all, DMM Bitcoin's response was very good. They announced the facts on the same day the incident was discovered and stated that they would guarantee users' assets. They must have learned from past cases that a quick response is necessary when such an incident is discovered. The DMM Group is a major IT company in Japan, so many people predicted that it would not be impossible to raise funds from the group companies, which was a source of relief.
Another reason is that the market size of Bitcoin itself has become large, so even if a leakage incident of this scale occurs, the impact on the market is relatively small. In addition, even after many illegal leakages and hacking incidents of crypto assets in the past, the history of Bitcoin prices continuing to rise is also a support for trust.
Ito: In the past, when crypto asset leakage incidents occurred, we often heard voices such as "Bitcoin is over" or "In the end, all crypto assets are scams." This time, we have not heard many such opinions.
Ishikawa: As with past cases, we need to separate the two points: is there a problem with the Bitcoin system itself, or is there a problem with the system of the exchange that stores it?
Ito: This case is the latter, isn't it? There was no problem with the Bitcoin system itself, but with the way it was managed.
Ishikawa: There has never been an incident in which the Bitcoin system itself was hacked. It is always a problem with the people who manage it.
For example, if someone's bank account was stolen from Ito's, you would normally think that there was a problem with the bank's system or with the way Ito managed it. But even if someone said, "If my money was stolen, then the Japanese yen itself is a fraud! It's suspicious!", no one would take me seriously (laughs).
Ito: I guess the number of people who confuse the two is gradually decreasing. So even if an unauthorized leak occurs at an exchange, it won't shake people's trust in Bitcoin itself, and it won't cause the price to plummet.
Ishikawa: That's right. However, while Bitcoin has never been hacked, many other blockchains and cryptocurrencies have been hacked. Therefore, I would like to emphasize that the idea that "all cryptocurrencies and blockchains are safe" is also incorrect.
Ito: That's right. By the way, this incident was the first data leak incident in a long time at a domestic exchange. Domestic exchanges are said to be safer than overseas exchanges, but is that correct?
Ishikawa: I think it is better to separate safety from a security perspective from a psychological sense of security. Domestic exchanges are said to be safer from a security perspective because the legal framework for exchanges is more advanced, funds are managed more strictly than overseas operators, and security and sales systems are checked by the Financial Services Agency. For example, domestic exchanges store most or even 100% of the assets entrusted to them by customers in cold wallets.
Ito: A cold wallet is a wallet that is isolated from external communication environments (the Internet or intranet). In other words, it means that funds are stored in a state where there is no need to worry about them being stolen due to unauthorized access from outside.
Ishikawa: There is no doubt that domestic exchanges, including such management methods, have higher security than overseas exchanges and overseas cryptocurrency services. However, in this incident, that security was overcome and an unauthorized leak occurred. There are many ways to strengthen security, but this was an opportunity to once again recognize that 100% safety is impossible under any circumstances.
Ito: We will talk later about how the supposedly strong security was breached. Psychologically, why do you feel more secure with domestic exchanges?
Ishikawa: It is easier for us Japanese to obtain information from domestic exchanges that are based in Japan and disseminate information in Japanese, and we can have a sufficient sense of trust in announcements such as compensation. This time it was DMM, so we were able to trust the announcement regarding compensation, but many people cannot shake off their distrust when they hear an announcement by an overseas exchange that they have probably never heard of.
In other words, rather than being superior because it is a Japanese exchange, it is more reassuring to use a Japanese exchange because we are Japanese users.
Ito: In fact, unless there are special circumstances such as wanting to trade coins that are not listed on domestic exchanges or wanting to use services such as DeFi, there is no doubt that it is safer for Japanese people to use domestic exchanges.
Ishikawa: It is certainly not good that this leak incident occurred, but I think there is no doubt that Japanese exchanges will continue to be safer in the future. However, as an Internet service, it is necessary to be aware that there is always a risk of such incidents occurring. So as a countermeasure, it is a good idea to decentralize and manage your assets. Instead of concentrating all your funds in one exchange, use several exchanges. It is also a good idea to manage them yourself using a wallet. Also, avoiding keeping all your funds in crypto assets in the first place is a basic asset protection measure.
Ito: Now, let's take a closer look at this leak incident. How was the bitcoin stolen?
Ishikawa: Based on the official announcement, as of July 10th, the cause is still unclear. The latest report from DMM Bitcoin only states that "investigations are still ongoing to determine the cause of the unauthorized leak." However, some people on social media are using on-chain information to investigate how the unauthorized leak occurred. Ito: On-chain refers to information engraved on the blockchain. Bitcoin transaction history, that is, information such as "where and to where, and how much BTC was sent," is all recorded on the blockchain and can be viewed by anyone.
Ishikawa: By tracking that information, we can find out how the unauthorized transfer was made to the wallet believed to belong to the criminal, and what is happening to the transferred bitcoin.
And it is believed that "address poisoning" was probably used in this leak incident.
Ito: What is address poisoning?
Ishikawa: Before that, let's explain the general flow of cryptocurrency withdrawals at exchanges. In the case of domestic exchanges, customers' cryptocurrency is stored in a cold wallet, and when withdrawing to an external location, it is first sent from the cold wallet to a hot wallet.
Ito: A hot wallet is a wallet that is connected to an external communication environment.
Ishikawa: These two wallets are under the management of DMM Bitcoin. And when sending from a cold wallet to a hot wallet, a method called multisig is used. This means that two or more signatures are required when sending cryptocurrency from a wallet to a wallet.
Ito: So a double check system is in place to prevent transmissions due to erroneous operation or leakage by malicious insiders. Ishikawa: Since on-chain information is available to anyone, Bitcoin addresses managed by DMM Bitcoin have already been identified on social media. Of course, there has been no official announcement, so this is merely speculation, but looking at past asset status, it seems almost certain. Bitcoin addresses consist of 27 to 34 alphanumeric characters, such as "1A2b3c...", and in this case, approximately 4,500 BTC was transferred from a DMM Bitcoin address to an address believed to belong to the perpetrator.
Ito: The question is who made such a transfer and why.
Ishikawa: Yes. It is unclear whether it was a cold wallet, but normally Bitcoin is transferred from a wallet that is supposed to be managed by DMM Bitcoin to DMM Bitcoin's hot wallet. However, in this case, Bitcoin was sent to a different address instead of the usual hot wallet. This is where we suspect that the "address poisoning" mentioned earlier took place. Address poisoning is a technique in which an address that is very similar to a specific address is created to mislead people into thinking that the transfer destination is correct.
Address poisoning has been increasing since around 2023, and major wallets such as MetaMask have been warning people to be careful. A common method is to create an address similar to an address that the target frequently transfers to (usually an exchange address, etc.) and transfer a very small amount to the target from that fake address. This transfer history remains on the wallet history page, so the target copies and pastes the fake address from the transaction history, thinking that they are "sending to their usual address." The only countermeasure is to always check that the address is correct. Even if it is troublesome, when transferring a large amount, first try a test transfer of a small amount to check that the money arrives correctly.
Ito: So instead of sending to the address "AABBCC", they created an address "AAB"D"CC" and sent the money to that address.
Ishikawa: Yes. Bitcoin addresses are about 30 characters long, but humans usually only recognize the first and last characters. So if the characters are almost the same, they may send the funds by mistake.
By the way, this method is also a major method in fraud and hacking in the cryptocurrency industry, so keep that in mind.
The address used by the perpetrator in this case and the original business hot wallet address have very similar characters at the beginning and end.
If a human were to visually check the Bitcoin send destination, there would be a high possibility of misidentifying it.
Ito: So the leak occurred when the Bitcoin was sent to a different address that was very similar to the wallet address to which it was originally intended. However, even if there was a similar address, Bitcoin transfers would have been made frequently, so if the business flow of "sending to the usual address" was followed, it seems unlikely that the wrong address would have been sent.
Ishikawa: That's right. So when poisoning an address, it's not enough to just create a similar address; for example, you need to switch the media or notes that are recorded as the "usual transfer address".
Ito: For example, if the person in charge had written it in a notepad on his or her own PC, they would have to switch it to a fake address.
Ishikawa: Yes. In reality, the business wallets of exchanges are made as dedicated software, so it seems likely that the recorded wallet address was rewritten in some way. It is unclear how this was done, but it is possible that the target business PC was infected with malware and then rewritten. Also, there are accounts on social media that point out the possibility of an internal crime, but we shouldn't be so careless as to "search for the culprit" based on speculation alone. In any case, we can only wait for the method to be made public after an internal investigation.
Ito: I see. However, cryptocurrency transfers between wallets are signed by multiple people. Could it be that multiple people sent money without noticing that the address was different from usual?
Ishikawa: It's hard to say for sure without seeing the actual situation, but if you're just doing your job as usual, it's possible that it could slip through without strict checks.
Ito: So the most likely scenario is that the address was poisoned and then the transfer was made by mistake?
Ishikawa: Actually, that's not the case. Looking at past announcements, DMM Bitcoin's assets are said to be around 40 billion yen. What was leaked this time was 48.2 billion yen worth of Bitcoin, but even if the amount of assets held had increased due to the rise in Bitcoin prices, it would normally be impossible to transfer most of that at once. Even if it wasn't possible to detect that the destination address had changed due to address poisoning, it would be impossible to transfer such a large amount of money in the first place, so there would be very strict checks.
Ito: So it wasn't just a mistaken transfer, but a transfer with a clear criminal intent.
Ishikawa: If we think about it that way, the criminal somehow manipulated the DMM Bitcoin wallet to leak the bitcoins to the outside. However, in that case, I don't really understand why they would have had to go to the trouble of address poisoning. It's unlikely, but it's possible that a similar address just happened to be used, and it wasn't actually address poisoning.
Ito: It's a very strange incident. All we can do now is wait for an official investigation and report.
Ishikawa: That's right. However, whatever the reason, there's no doubt that this incident occurred due to human error or someone's intentional manipulation. Even if the Bitcoin blockchain wasn't hacked, as long as there are parts that involve human intervention, such as exchanges, we need to be aware that hacking and leaks will continue to occur in the future.
When a huge crypto asset fraud or hacking incident occurs, the question is how the criminal will convert the crypto assets into dollars or other currency. Naturally, if the criminal converts the crypto assets in a way that reveals his or her identity, he or she will be caught. Since most exchanges require the submission of identification documents when registering, the stolen crypto assets cannot be sent directly to the exchange and converted into cash. Therefore, in many hacking incidents, mixing services are used to mix multiple crypto asset transactions to make the transaction history unclear. However, there have been cases where well-known mixing service operators have been convicted overseas, and this method is becoming more difficult. In addition, there are also cases where negotiations are conducted in which a certain amount of money is received from the victim and the crypto assets are returned.
Ito: As a user, I think the only thing you can do is to use exchanges and wallet services that you can trust as much as possible and to keep your assets in a decentralized manner. Ishikawa: Incidentally, in this case, as announced, "We will procure the equivalent of the amount of Bitcoin (BTC) that was leaked from our group companies and guarantee the entire amount of Bitcoin (BTC) held by customers," so it seems that the Bitcoin held by users will be guaranteed as Bitcoin. Ito: Is that something special?
Ishikawa: In the previous hacking incident at Coincheck, compensation was paid in Japanese yen. The amount was calculated based on the price of the leaked NEM at a specific time, and users were compensated in Japanese yen. In fact, this means that users were automatically taxed because they had "taken profits on their crypto assets and converted them into Japanese yen." Although the fact that compensation was provided properly is commendable, it may have been a disadvantage to users in the end. In comparison, DMM Bitcoin's response to this leak incident could be said to be perfect. Of course, it would be better if leaks never happened in the first place.
Ito: I hope that the response of DMM Bitcoin this time will become the standard when a similar incident occurs at a Japanese exchange in the future.
Ishikawa: I don't know if all operators can take a similar guarantee system, but this time it can be said that the response of a domestic exchange is almost flawless.
Finally, let me say that this incident is not actually over yet. The perpetrator of the leak will eventually need to convert the bitcoins into money such as dollars, but as of July, this has not yet been done. This can also be checked by anyone by tracing the transaction history of the leaked bitcoins. Since it is money equivalent to 48 billion yen, it must be quite difficult to convert it into cash.
Ito: Of course, if you send it to an exchange and try to convert it into cash, the identity of the perpetrator will also be revealed.
Ishikawa: So in such incidents, it is not uncommon for the victim to pay the perpetrator a certain amount that is much less than the amount of the loss in order to get the cryptocurrency back. That shows how difficult it is to convert cryptocurrency into cash without revealing your identity. However, as there does not appear to be any such movement at the moment, many people will likely continue to keep a close eye on the movements of the leaked bitcoins.
Key points of the DMM Bitcoin leak incident
① The circumstances of the leak are unknown, but it is believed that methods such as address poisoning were used.
② After the damage was discovered, the facts were immediately made public and the guarantee system was announced. There was almost no confusion in the market.
③ Funding for customer asset guarantees has also been completed. The fact that the leak occurred is a negative, but the post-incident response was the best it could be.
[NEWS] DMM Bitcoin leak suspected to be the work of North Korean hacker group Lazarus
Interview Iolite FACE vol.10 David Schwartz, Hirata Roi PHOTO & INTERVIEW "Yukos" Special feature "Trends in the cryptocurrency industry in Japan", "Trump vs. Harris: What will happen to the cryptocurrency industry?", "Was the reputation economy a prophecy?" Interview: Simon Gerovich, Metaplanet Co., Ltd., Kim Dong-Gyu, CALIVERSE Series Tech and Future Sasaki Toshinao...etc.
