CoinEx hacks linked to North Korea’s Lazarus amid third breach
- Lazarus group suspected of the attacks on CoinEx.
- A third wave of attack hit the exchange.
According to recent data, the hacker group Lazarus could be behind the attacks on crypto exchange CoinEx. SlowMist, a blockchain cybersecurity firm, stated in a tweet that the CoinEx attackers may have ties to the North Korean hackers known as the Lazarus group.
Lazarus rises again
According to SlowMist, Lazarus is also behind the attacks on crypto betting platform Stake.com and crypto payment provider Alphapo. They explained their suspicion through a twitter thread.
SlowMist stated that initially Alphapo Exploiter swapped TRX for ETH and bridged to the address (0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d) via TransitSwap. So, this address (0x22b…98d) is tagged as Alphapo Exploiter on the ETH chain.
Interestingly, the same address (0x22b…98d) is tagged as Stake Exploiter on the BSC chain.
?SlowMist Security Alert?
1/ @coinexcom Exploiter, @Stake Exploiter and #Alphapo Exploiter may all have ties to the North Korean Hackers known as #LazarusGroup.
Here’s how we came to that conclusion: https://t.co/IGNldb2ZZJ pic.twitter.com/SLGzSgbCis
— SlowMist (@SlowMist_Team) September 13, 2023
Separately, another address (0x754…c59) which is tagged as CoinEx Exploiter on the ARB and OP chains is also tagged as Stake Exploiter on the Polygon chain. This suggested that the same address is being used for two exploits.
Given that the FBI has previously linked the Stake Exploiter to the North Korean hackers Lazarus Group, it is plausible that all three exploiters – Alphapo, CoinEx, and Stake – may be associated with this group according to SlowMist.
A large record
Besides its recent exploitation, Lazarus has a history of criminal activities. Before targeting Stake, they stole $60 million from crypto payment providers Alphapo and CoinsPaid.
In June, Lazarus pulled off its largest heist of the year, siphoning off $100 million from another wallet provider, Atomic Wallet. Furthermore, the group’s hackers infiltrated an American IT company, JumpCloud, and used it to target cryptocurrency companies, according to a Reuters report.
A third wave strikes
Initially, it was assumed that the hackers struck twice and ended up escaping with the funds. However, a recent update from the CoinEx team stated that there was a subsequent third attack on the protocol, this time exploiting BSC, ARB, OP wallets amongst many others.
#CoinExResponseUpdate – We've identified the 3rd series of suspicious wallet addresses linked to the hack:
We are working nonstop to track down the hackers' addresses. Here are the recently identified addresses:$BSC:
*0xC844F7178379782eC19F3EE6E399f2EB7b2b984F$ARB:…— CoinEx Global (@coinexcom) September 13, 2023
It is still unclear how much of the funds were actually drained. TRX was one of the tokens that was the largest steal in the previous attacks. But this did not have an impact on TRX prices much.
However, the weighted sentiment for TRX declined significantly, which would point to the fact that the bears could come for the token in the future.