DMM Bitcoin — hot wallet compromise

What happened

On 31 May 2024 Japanese cryptocurrency exchange DMM Bitcoin disclosed an “unauthorised leak” of 4,502.9 BTC — approximately $305 million at prevailing prices — the largest theft from a Japanese crypto exchange on record. DMM Bitcoin, a subsidiary of the large Japanese internet company DMM Group, suspended all spot-buy orders and external transfers while it assessed the breach. The exchange subsequently announced that it would wind down operations entirely, completing a transfer of all customer accounts to SBI VC Trade by March 2025. DMM Group agreed to provide the equivalent of 55 billion yen ($350 million) to cover the customer losses in full, ensuring no customer suffered a haircut.

In December 2024, the US Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Defense Cyber Crime Center (DC3) issued a joint public service announcement formally attributing the theft to TraderTraitor, the subgroup of North Korea’s Lazarus organisation that has specialised in targeting cryptocurrency firms through social engineering since at least 2022. The FBI’s TraderTraitor advisory established the operational pattern in detail for the first time, covering the DMM Bitcoin operation alongside the contemporaneous $16.13 million theft from Japanese crypto exchange Coincheck’s Ripple wallet.

How it worked

The attack did not target DMM Bitcoin’s systems directly. It began with a LinkedIn social-engineering approach directed at an employee of Ginco, the Japanese wallet-software company that supplied DMM Bitcoin’s transaction-signing infrastructure. A person posing as a recruiter contacted the Ginco employee with what appeared to be a highly targeted employment opportunity at a cryptocurrency firm. The employee was invited to complete a “pre-employment technical test” — a piece of code hosted on GitHub that the employee was asked to copy to their personal GitHub page. The code was malware.

Once the Ginco employee executed the malicious code, the attacker obtained access to the employee’s system. The FBI and CISA assessment of the operation identified this as the initial compromise of the wallet communication layer: the Ginco employee’s device was part of the path through which transaction requests passed between DMM Bitcoin’s systems and the wallet-signing infrastructure. The attacker was able to use this access to intercept legitimate Bitcoin withdrawal requests and alter the destination addresses — replacing DMM Bitcoin’s intended recipient addresses with attacker-controlled addresses — before the transactions were finalised and broadcast to the Bitcoin network.

This “adversary-in-the-middle on the signing path” technique does not require compromising the wallet’s private keys directly. It instead targets the infrastructure through which signing instructions flow, inserting malicious modifications at a point where the operator may not have end-to-end verification that the transaction they authorised matches the transaction that was signed and broadcast. Bitcoin transactions, once broadcast and confirmed, are irreversible.

The FBI identified this operation as part of a broader TraderTraitor pattern that the group had used across multiple crypto-firm targets: identify an employee with access to financially critical systems, approach them via LinkedIn as a recruiter or professional contact, deliver malware via a fake technical task, and use the resulting access to redirect or exfiltrate funds. The same playbook was used in the Radiant Capital compromise in October 2024 and in multiple other operations the FBI attributes to the group.

Timeline

• March 2024 — Ginco employee receives fake LinkedIn recruitment approach and executes malware as part of a “technical test”.
• May 2024 — Attacker uses compromised Ginco communication path to manipulate Bitcoin withdrawal transactions.
• 31 May 2024 — DMM Bitcoin detects the unauthorised outflow and suspends operations. 4,502.9 BTC ($305M) confirmed stolen.
• September 2024 — Japan’s Financial Services Agency issues a supervisory business-improvement order to DMM Bitcoin.
• 2 December 2024 — DMM Bitcoin announces full closure; SBI VC Trade agrees to absorb all customer accounts.
• 23 December 2024 — FBI, CISA and DC3 publish joint PSA formally attributing the theft to TraderTraitor / Lazarus Group (DPRK).
• March 2025 — Customer account migration to SBI VC Trade completes. DMM Bitcoin ceases operations.

What defenders should learn

The DMM Bitcoin operation illustrates the supply-chain risk that arises when a critical, money-moving function — in this case, the wallet-signing communication path — passes through a third-party technology supplier. DMM Bitcoin’s own internal systems may have been adequately secured; the vulnerability that the attacker exploited was in the contractor who maintained the infrastructure through which signing requests flowed. Third-party software and infrastructure suppliers who have any involvement in transaction authorisation paths should be subject to the same security vetting and ongoing monitoring as internal teams.

The fake-job-offer attack vector is now one of the best-documented and most widely warned-against techniques in the DPRK playbook, yet it continues to be effective. The TraderTraitor advisory from the FBI and CISA explicitly names LinkedIn as the primary delivery channel and describes the technical-test malware delivery as a recurring pattern. The reason it continues to work is structural: receiving a LinkedIn message from a recruiter with an attached technical test is a normal experience for software engineers. Social-engineering resistance requires training on this specific pattern — not just generic phishing awareness — and ideally a policy requiring that any code from an external source, however well-credentialed the sender appears, be executed only in an isolated environment with no access to production systems.

Transaction-signing integrity verification is the technical gap that this attack exploited. In an environment where a third-party system is involved in the path between a human authorising a transaction and that transaction being broadcast, the human needs a reliable way to verify that the transaction they approved is the transaction that was signed. End-to-end cryptographic verification of transaction content — where the final signed transaction is confirmed against what the operator originally authorised, through a channel that cannot be intercepted by the same compromised intermediate — closes this gap. This is technically achievable but requires deliberate architectural investment. The DMM Bitcoin case shows the cost of not making that investment.

The exchange’s response — guaranteeing full customer restitution from DMM Group resources and executing an orderly transfer to SBI VC Trade — is a model for how an exchange can protect customers even when it cannot survive the theft itself. The absence of a customer haircut, despite a loss equivalent to roughly the entire exchange’s asset base, was made possible by the parent company’s financial resources. For exchanges that lack that backstop, the DMM Bitcoin outcome is a ceiling they cannot reach without insurance and pre-arranged resolution frameworks.