Japanese crypto service shuts down after theft of bitcoin worth $308 million

A popular Japanese cryptocurrency platform is shutting down less than six months after hackers siphoned more than $300 million worth of coins from the site.

DMM Bitcoin said on Monday that it planned to transfer all customer accounts and company assets to another crypto firm called SBI VC Trade — a subsidiary of Japanese financial services giant SBI Group. 

The platform attributed the move to the May 31 incident when hackers broke into the platform and stole 4,502.9 bitcoin, which at the time was worth $308 million but as of Monday is worth more than $429 million. 

DMM Bitcoin explained that it is still investigating the incident and noted the platform has continued to restrict withdrawals and purchase orders of crypto. 

“But we have determined that allowing this situation to continue for a long time would significantly impair customer convenience,” the company said. 

“In light of this situation, and with the protection of our customers as our number one priority, we have decided to transfer all accounts and assets held with us to another company. We sincerely apologize for the inconvenience caused to you over such a long period of time. As a result, the Company plans to discontinue its business once the transfer is complete.”

DMM Bitcoin, which was launched in January 2018, signed the agreement with SBI VC Trade on November 29, and all accounts as well as assets held will be transferred over by March 2025. The two companies are still settling other facets of the deal and will make further announcements in the future. SBI VC Trade confirmed the deal in its own statement. 

Following the attack, DMM Bitcoin was forced to take out massive loans to cover the lost bitcoin. In June, the company secured 55 billion yen in loans — about $367 million. 

The company has not provided an update on the situation since September and never fully explained publicly what happened, who was behind the attack or where the stolen funds are. 

Officials with Japan’s Financial Services Agency stepped in and conducted an investigation. They said in September that “serious problems were found with the Company's system risk management system and response to the risk of crypto asset leakage.”

The company never appointed someone to run the risk management system and consolidated risk management, security and development into the hands of a small group of people.

Government officials also said departments were auditing themselves and there were no independent audits done. 

They found that DMM Bitcoin violated several rules on how cryptocurrency firms are supposed to handle transfers and did not preserve the kind of logs that would help with their investigation into the theft. 

“As described above, the Company has not taken appropriate measures to prevent the outflow of crypto assets through fraudulent activities, etc., and as a result, security against internal fraud and theft is not ensured, and sloppy management practices regarding the transfer of crypto assets are recognized,” the bureau said. 

“Furthermore, internal audits are not functioning as they tolerate such management practices, and a system has not been established to appropriately respond to the risk of crypto assets being outflowed.”

The officials issued a “business improvement order” but did not respond to requests for comment about whether any other penalties were issued. 

Researchers at blockchain security firm Elliptic said the stolen funds were quickly split up and varying amounts were sent to at least 10 different wallets. 

Prominent cryptocurrency researcher ZachXBT said in July that some of the money has since been laundered through shadowy Cambodian payment site Huione Guarantee, a controversial platform with ties to organized crime and a member of theCambodian ruling family. 

Based on laundering techniques and other clues, ZachXBT said it is likely the attack was launched by Lazarus Group — a North Korean government operation well-known for dozens high-profile cyberattacks that have allegedly netted the government more than $3 billion over the last decade. 

Blockchain research company Chainalysis explained earlier this year that cybercriminals netted nearly $1.6 billion from crypto thefts in the first half of 2024, up from $857 million during the same period of 2023. 

There have been several large incidents in the second half of the year, including thefts of at least $230 million from India-based cryptocurrency platform WazirX and more than $44 million from Singaporean crypto platform BingX. 

Indonesia’s largest crypto platform saw $20 million taken in September while another Singaporean crypto platform, Penpie, reported an incident where $27 million was stolen.