[NEWS] Ginco announces details regarding unauthorized access to DMM Bitcoin

Ginco, which develops cryptocurrency wallets, announced on the 28th that it had been illegally accessed by a group of the Lazarus Group, which is believed to be a subordinate organization of the North Korean authorities, in connection with the unauthorized data leak from the domestic cryptocurrency exchange DMM Bitcoin that occurred in May last year.

According to the announcement, Ginco was subjected to a large-scale cyber attack, including targeted social engineering, by a cyber attack group called TraderTraitor, which is believed to be part of the Lazarus Group. Specifically, the company said that unauthorized access was confirmed to a specific part of the infrastructure that makes up the cryptocurrency wallet software "Ginco Enterprise Wallet" provided by Ginco.

In December last year, the National Police Agency and the FBI (Federal Bureau of Investigation) announced that the unauthorized data leak from DMM Bitcoin was the work of TraderTraitor. Ginco's announcement follows that.

DMM Bitcoin used "Ginco Enterprise Wallet" to manage its cryptocurrency assets. Ginco also explained that "Ginco Enterprise Wallet" is software that allows users to manage their own crypto assets and private keys, and that Ginco cannot operate DMM Bitcoin's cold wallet. However, they went on to say that because Ginco is not a crypto asset exchange business authorized by the Financial Services Agency, it is not in a position to be entrusted with the management of crypto assets and private keys or the transfer of funds.

Ginco also revealed details of how it fell victim to the unauthorized access.

First, the attacker contacted Ginco employees in March last year, posing as a recruiter on the business-focused SNS LinkedIn. The attacker sent a URL for a malicious Python script disguised as a pre-employment test stored on GitHub, and urged Ginco employees to run the script.

As a result, the employees' work computers were compromised, and the attacker was recognized as having illegally obtained credentials that could access the Kubernetes production environment on the cloud service contracted as the infrastructure for "Ginco Enterprise Wallet." Investigative authorities confirmed that the Python script used in this attack was of the type that uses advanced techniques that utilize Python specifications.

After that, the attacker appears to have illegally accessed the Kubernetes production environment using the credentials of Ginco employees between May 24 and 31 last year.

There was no unauthorized access to the "Ginco Enterprise Wallet" application, source code, or databases storing customer-related information managed by Ginco.

DMM Bitcoin, where the unauthorized leak occurred, plans to transfer customer assets to SBI VC Trade in March. After the transfer is complete, the company plans to go out of business.

In this incident, approximately 48.2 billion yen worth of Bitcoin (BTC) was illegally leaked at the exchange rate at the time. The amount of damage caused by North Korea's hacking and other activities is increasing year by year, and the Financial Services Agency and others are calling on domestic cryptocurrency-related companies to be vigilant.

Reference: Announcement
Image: Quote from the announcement

Related articles

SBI VC Trade announces DMM Bitcoin customer asset transfer date

DMM Bitcoin's illegal bitcoin leak identified as cyber attack by North Korea's Lazarus