DMM Bitcoin

On May 31, 2024, the Japanese cryptocurrency exchange DMM Bitcoin lost 4,502.9 BTC — roughly $305 million at the time — in a single unauthorized withdrawal. The exchange wound down operations later that year and transferred remaining customer accounts to SBI VC Trade.

What happened

The breach did not originate at DMM itself. It started at Ginco, the Japanese wallet-software vendor whose system DMM used to authorise withdrawals.

In March 2024, a North Korean operative posed as a recruiter on LinkedIn and approached a Ginco engineer. As part of the fake hiring process, they shared a Python "skills test" hosted on GitHub. The engineer ran the script on a personal machine — granting the attacker access to session cookies and, through those, the ability to impersonate the engineer on Ginco's internal systems.

For two months the attacker sat inside Ginco's unencrypted communications, observing how transactions were authorised. In late May they used that access to manipulate a legitimate withdrawal request from DMM Bitcoin so that the funds were routed to wallets they controlled instead. The 4,502.9 BTC moved in a single transaction.

Aftermath

• The FBI, Japan's National Police Agency, and the U.S. Department of Defense Cyber Crime Center jointly attributed the heist to TraderTraitor / Lazarus in December 2024.
• DMM Bitcoin announced it would shut down in December 2024 and migrate customer accounts to SBI VC Trade.
• The stolen BTC was laundered through cross-chain bridges and mixers.

Why it matters

DMM was the highest-profile example of a pattern that defined the year: North Korean operatives targeting the vendors and developers around crypto businesses, not the businesses themselves. The same playbook — fake LinkedIn outreach, malicious "skills test", session-cookie theft — recurred at Munchables, Radiant Capital, and ultimately at Safe{Wallet} before the Bybit heist.