Home / News / Crypto / News / CoinEx Hack: Addresses Linked Back to North Korea’s Lazarus Group
4 min read

CoinEx Hack: Addresses Linked Back to North Korea’s Lazarus Group

Last Updated September 14, 2023 9:56 AM
James Morales
Last Updated September 14, 2023 9:56 AM
Key Takeaways
  • The North Korean Hackers Lazarus are being blamed for stealing $54M worth of cryptocurrencies from CoinEx.
  • In recent months, the group has been behind several multi-million dollar crypto heists.
  • The focus of crypto firms has proven to be extremely lucrative for Lazarus.

A shadowy North Korean hacker group known as Lazarus has increasingly targeted crypto platforms in recent months.

In the latest attack attributed to the group, the CoinEx cryptocurrency exchange was hacked for $54M worth of BTC, ETH, and other tokens.

Who Are Lazarus?

Lazarus first rose to notoriety through a series of denial-of-service attack (DDoS) attacks targeting the South Korean government between 2009 and 2012.

The group’s first high-profile attack on a private corporation occurred in 2014, when hackers calling themselves the “Guardians of Peace” broke into Sony’s computer systems and stole sensitive internal documents.

While the Guardians of Peace acted as a cohesive unit, “Lazarus” refers to a loose collective of cybercriminals, defined more by a shared method than a distinct membership. 

Following its investigation into the Sony attack, the FBI concluded  that the threat actors were sponsored by the North Korean government. Since then, Lazarus hacks have been repeatedly traced back to servers in North Korea.

An Increasingly Sophisticated Threat

Over the years, Lazarus’ arsenal of cyber threats has evolved.

From the rudimentary DDoS attacks of 2009-2012, the group soon moved on to ransomware attacks like the one that hit Sony.

By 2015, Lazarus had developed even more sophisticated malware tools that were able to breach secure systems at some of the world’s biggest banks. 

Notoriously, the collective stole $81M  from the Central Bank of Bangladesh seizing control of computer terminals that communicated with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. 

Had alarm bells not been triggered at the New York Federal Reserve, where Bangladesh keeps its currency reserves, the hackers would have walked off with a billion dollars!

Crypto Firms Provide Rich Pickings for North Korean Hackers 

Although Lazarus has used Bitcoin as its preferred means of extracting extortion payments from victims since at least 2017, only more recently has the group explicitly targeted crypto firms.

In 2022, North Korean hackers were behind the heist of $620M worth of cryptocurrency from Axie Infinity via the Ronin Ethereum sidechain. 

This year, the collective has ramped up its campaign against digital asset businesses.

Since June, Lazarus has hit Atomic Wallet for $35M, Alphapo for $60M,  CoinsPaid for $37M, Harmony Horizon for $100M, Stake.com for $41M, and now, CoinEx for a further $54M. 

The connection between the North Korean hackers and the recent CoinEx theft first surfaced after the online blockchain sleuth ZachXBT identified Optimism and Polygon wallets that had previously received funds from the Stake.com hack.

ZachXBT’s discovery was later confirmed by the crypto security firm Slowmist, which outlined a network of crypto addresses used to move funds from the CoinEx, Stake.com and Alphapo exploits.

Ultimately, however, knowing the addresses that received stolen funds may not be of much use. In the past, Lazarus has used crypto tumblers like Tornado Cash to obscure the trail of stolen assets.

In August, the FBI even published a list of crypto wallets associated with the group.

However, beyond warning businesses not to interact with the specific addresses identified, the agency can do little to prevent Lazarus from cashing out illegally swiped cryptocurrency once it has been laundered and anonymized.

Was this Article helpful? Yes No