Mt. Gox Replayed? Insights into the Latest Scamming Tactics of Hackers from the Recent Massive Cryptocurrency Theft Case in Japan
Author: Xiaoza Team
On May 31, according to monitoring data from a third-party blockchain security risk platform, DMM Bitcoin, a subsidiary of Japan's super consortium DMM, experienced a "unauthorized" massive outflow of Bitcoin. Although the official has not released any investigation news yet, on-chain data suggests that it can basically be judged as a case of extremely large-scale cryptocurrency theft, and the methods used by the criminals are quite novel. According to public sources, the amount involved in this case is approximately $300 million.
The Xiaoza team believes that this incident bears some similarities to the Mt. Gox cryptocurrency platform theft case that occurred in Japan years ago (which remains unresolved to this day), often referred to as the "Mt. Gox incident." Currently, DMM Bitcoin has restricted new user account openings, cryptocurrency withdrawals, spot trading buy orders, and other services, and has publicly stated that the platform will bear all losses incurred from this incident. Clearly, for the large and established DMM, a loss of $300 million is still within an acceptable risk range, which should be considered a silver lining for investors.
Today, the Xiaoza team will elaborate on the latest hacking techniques in cryptocurrency assets and prevention methods, starting from this incident.
01 How Exchanges Regulate User Cryptocurrency Assets
Before discussing this theft case, it is essential to provide some knowledge for those who may not be familiar with DMM. DMM Bitcoin's parent company, DMM, short for Digital Media Mart, is a highly recognized super entertainment conglomerate in Japan. Although DMM initially rose to prominence through a special industry, under the legendary leadership of Keiji Kumeyama, its business has developed extensively over the years.
In 2009, DMM acquired an online brokerage that was on the verge of bankruptcy and rebranded it as DMM FX, entering the Japanese market.
In just one year, it became Japan's number one forex trading platform by trading volume, and three years later, it became the world's second-largest forex broker, with an annual trading volume exceeding $2 trillion. Since then, DMM has thrived in the Japanese financial industry. In recent years, DMM has gradually divested and sold off its original special industries, transforming into a comprehensive super consortium and venturing into the rapidly growing cryptocurrency market, which brings us to the protagonist of today's story—DMM Bitcoin.
It is worth mentioning that the infamous Mt. Gox incident, which nearly killed the industry, occurred in Japan. Learning from the painful lessons of its predecessors, DMM has actually established a fairly strict cryptocurrency asset protection and regulatory mechanism. According to an analysis of DMM Bitcoin's withdrawal process by the third-party platform Beosin, we can see that DMM Bitcoin has implemented physical isolation and management of customer-held cryptocurrency assets—over 95% of customer assets, except for a few cryptocurrencies, are stored in DMM Bitcoin's cold wallets. When transferring customer cryptocurrency assets from cold wallets to hot wallets, DMM Bitcoin must undergo multiple internal department reviews and approvals, and finally arrange a "cashier" team of two individuals to conduct the transfer.
On the surface, DMM Bitcoin seems to have done a commendable job in safeguarding user assets, so how did this astonishing theft occur?
02 How the $300 Million Cryptocurrency Theft Happened
Although DMM Bitcoin has not publicly disclosed the specific reasons for this cryptocurrency theft, on-chain data suggests that, excluding the possibility of an insider job, it is likely that the relevant trading personnel fell victim to the newly popular fake address trap. In simple terms, the two individuals responsible for completing the transfer at DMM Bitcoin were deceived by the hacker and sent the cryptocurrency assets to the wrong address. The reason the staff made such a basic mistake is that the fake address used for the fraud looked "similar enough" to the correct address.
To be honest, anyone with a basic understanding of blockchain knows that this hacker's method sounds both mystical and primitive; it does not rely on computer system vulnerabilities or astonishing special techniques, yet this simple trap successfully stole $300 million.
As is well known, Bitcoin uses a special hash algorithm (SHA-256 cryptographic hash function) from its design inception. This hash algorithm is a one-way hash function h=H(x), which can convert input data (x) of any length into a fixed-length output (h), commonly referred to as the hash value. One characteristic of hash algorithms is that they can only output the hash value in one direction and cannot reverse-engineer the input value from the hash value, and the collision rate of the output hash value is extremely low.
The so-called collision rate refers to the situation where different input values yield the same hash value. Due to the nature of hash algorithms, the input data is an infinite set, while the output data length is fixed, which leads to the input data x being infinite, and the output data h being finite. When two different input data x yield the same output data h, it is called a "hash collision."
The theoretical collision probability of the hash algorithm used by Bitcoin is: attempting 2 to the power of 130 random inputs has a 99.8% probability of collision, and 2 to the power of 130 is an astronomically large number, making it virtually impossible to brute-force crack with the existing computing power available to hackers.
A simple understanding is that the input value of the hash algorithm is the user's private key, while the output hash value is the user's address (public key).
In the case of the DMM Bitcoin theft, the hacker certainly did not have the capability to brute-force reverse-engineer the exchange's private key using powerful computers. Instead, they generated a massive number of public key addresses. Because the data on the Bitcoin blockchain is publicly transparent, the commonly used transfer addresses of DMM Bitcoin are no longer a secret.
Specifically, DMM Bitcoin often needs to transfer online cryptocurrency assets to the cold wallet address 1B6rJ6ZKfZmkqMyBGe5KR27oWkEbQdNM7P for safekeeping. Coincidentally, among the numerous generated addresses, one address starts and ends in a way that is very similar to the commonly used address of the Bitcoin exchange. Here’s a comparison for reference:
DMM Bitcoin's wallet address:
1B6rJ6ZKfZmkqMyBGe5KR27oWkEbQdNM7P
Hacker-generated wallet address:
1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P
Therefore, the transfer personnel at DMM Bitcoin may have overlooked the details and only checked the beginning and end of the address before proceeding with the transfer, resulting in the massive theft of cryptocurrency assets.
03 Conclusion
Currently, a third-party company has identified that the stolen cryptocurrency assets from DMM Bitcoin have been transferred to 10 addresses, which have been marked as involved addresses. DMM Bitcoin has simultaneously reported the case to the Japanese police, and the investigation is ongoing.
The Xiaoza team believes that compared to Mt. Gox, which went bankrupt due to cryptocurrency theft and caused severe losses to users, DMM's proactive announcement to bear user losses and minimize the impact of public opinion has greatly stabilized market confidence and prevented a panic sell-off. This also reflects that the current cryptocurrency exchanges have significantly improved their ability to handle sudden emergencies. This improvement is attributed to enhanced government regulatory capabilities and the continuous improvement of compliance construction in cryptocurrency platforms.