In May 2024, DMM, a crypto exchange headquartered out of Japan, suffered a hack of 4,502 BTC, then worth around $305 million. This blog revisits the DMM hack seven months after it occurred to provide critical insights into the tactics used by the attackers and their broader implications. With DMM recently announcing its closure, unable to recover from one of the largest crypto hacks of all time, the incident serves as a sobering reminder of the devastating impact such breaches can have. By reflecting on this hack, we aim to equip businesses and investigators with knowledge to better anticipate and counter evolving crypto crime tactics.
Let’s revisit the laundering trail of the DMM hack to see what we can learn from t it:
- On May 5, 2024, the hackers took 4,502 BTC from the DMM wallet and sent it to their wallet. While DMM acknowledged the hack, it never shared further detail about the exact vulnerability that led to the security breach. We speculate that they may have wanted to avoid self-incrimination—for example, an employee may have clicked on a spear phishing link due to poor training on such techniques, making the organization partially culpable (In Japan, crypto exchanges must register with the Financial Services Agency, which vets that each business is operating in a secure manner, among other obligations).
- The hacker also relies heavily on peel chains. A peel chain is a type of multi-wallet transfer in laundering. The distinction is that the funds are sent in increasingly smaller amounts across each hop instead of arbitrary amounts. With the DMM hacker, the increments start as high as 499 BTC for the first hop and then go as low as 39 BTC by the third hop.
- The laundering trail becomes even more complex through the use of mixers, which allows the hackers to put Bitcoin into the mixer that will then be “mixed” with those of other users, and in return, they will be given an amount of crypto equivalent to what they put in.
This may use a third-party mixer like Sinbad.io or Wasabi Wallet. Alternatively, some organizations may operate private mixers, like those reportedly linked to the Lazarus Group. While mixers are a tool for anonymizing transactions, their use complicates blockchain analysis. Linking wallets associated with mixers requires caution, as it risks misidentifying innocent users or those using mixers for legitimate privacy purposes. Furthermore, not all mixer usage implies illicit intent, and analysts should carefully consider the broader context of transactions before drawing conclusions about culpability. Misattribution can lead to reputational harm or hinder investigations by diverting focus from the actual perpetrators. - Crypto investors may rely on timing patterns or correlations to link transactions even after they have been mixed. To further complicate this task, it seems the DMM hackers may have intentionally altered the timing of their withdrawals, a feature available in the UI of many mixers. Users can schedule withdrawals for hours or even days later, with funds continuously mixed until withdrawn. This intentional delay further obscures the connection between deposits and withdrawals, complicating efforts to correlate transactions based on timing patterns.
- After the peel chains and coin mixers, the funds are eventually distributed to different wallets in increments as small as 10 to 20 BTC. Given the ubiquity of crypto, the hackers may not even need a fiat off-ramp. For example, if the intention of the organization is to purchase illegal firearms or weaponry, the seller, such as a vendor on a darknet marketplace, would typically accept crypto. This ability also spares the hacker of having to deal with a fiat off-ramp, like a rogue exchange or crypto ATM.
Given the complexity of the obfuscation techniques and the scale of the laundering operation, involving hundreds of wallets, we believe the DMM hackers are likely a highly sophisticated criminal organization. The patterns observed—including peel chains, the use of mixers, and timing alterations—are consistent with tactics used by the Lazarus Group, a notorious organization linked to some of the largest crypto hacks in history, such as the $600 million Ronin attack.
While definitive attribution is challenging, the laundering patterns and scale strongly suggest the involvement of a well-resourced and experienced group. Further analysis of the wallets and transactions may shed more light on the culprits and their methods
Key Takeaways
While the DMM hack was one of the largest in history, a theft does not always need to be large to be catastrophic. Many organizations are unable to recover from considerably smaller hacks that disrupt operations, ruin their reputation, and scare off customers.
Although it is unclear what caused the DMM hack, businesses must do what they can to protect their organization. At the minimum, they should have a blockchain analytics tool, like Merkle Science’s Compass, to monitor customers and transactions and to meet obligations in KYC, AML, and CFT.
Organizations should also not discount the human element. The Ronin attack was caused by an employee who was fooled into downloading a job description that contained malware after going through a fake interview. Employees need to be educated on crypto crime, especially those on the front-lines. Merkle Science offers training to compliance teams and crypto investigators through its Institute.
Finally, criminals are laundering funds through increasingly sophisticated trails. Crypto investigators need a blockchain analytics tool like Tracker that can follow the movement of funds across the laundering trail.
To learn more about Compass or Tracker, contact Merkle Science for a free demo.