The hacker group was identified by SlowMist after exposing its wallet address. It was the same address used in the Stake and Optimism hacks, which occurred over the past month.
CoinEx Hack details
Large transfers were detected from CoinEx to an unfamiliar address on 12 September, immediately raising suspicions of a security breach. Initial estimates pegged the loss at around $27m. However, according to recent data from SlowMist, the damages have surpassed $55m.
In response to the breach, CoinEx Global reassured its users, asserting that their assets remain protected. They also pledged that all users affected by the hack will be fully compensated for their losses.
The exchange temporarily halted deposits and withdrawals to ensure security and prevent any more breaches. CoinEx is actively monitoring the situation and plans to release a detailed report about the incident soon.
Connection to the Stake hack
Based on the wallet address and hacking behavior, this CoinEx attack appears to be done by the same group who recently exploited $41m from the crypto gambling platform Stake.
Stake underwent a substantial security breach on September 4, where hackers stole $41m in various cryptocurrencies.
The exploit started with a transaction on the Ethereum blockchain, where roughly $3.9m in Tether was transferred from Stake to the hacker’s account. This was followed by multiple transactions, resulting in the loss of $9.8m in ETH, $1m in USD Coin, $900,000 in Dai, and $25,000 in Stake Classic (STAKE) tokens.
Once the funds were obtained, the hacker dispersed them across eight separate wallets. Cyvers, a security alert platform, said that the compromised stable coins were then exchanged for ETH, currently held in externally owned accounts.
By 7 September, investigations by the US Federal Bureau of Investigation (FBI) pointed to North Korea’s Lazarus Group as the hackers behind the Stake attack.
Who is the Lazarus Group?
Lazarus Group, associated with the North Korean government, has a history of high-profile cyber attacks. A report from TRM Labs revealed that since 2018, the group has siphoned almost $2bn in cryptocurrency, with nearly half of that amount taken just last year.
But the group’s malicious activities aren’t confined to the crypto space. Back in November 2014, they were reportedly responsible for cyber attacks against Sony Pictures Entertainment. It was retaliation against the release of ‘The Interview’, a satirical film centered on an assassination plot against North Korean leader Kim Jong-un.
The FBI detailed the group’s methods, stating: “The conspirators accessed SPE’s network using malware sent to employees, subsequently stealing confidential data, issuing threats to executives and employees, and compromising thousands of computers.”
Before their shift to the crypto industry, Lazarus Group was known for targeting traditional financial bodies. A significant attempt in 2016 saw them trying to pilfer $1bn from Bangladesh’s national bank. However, they only succeeded in obtaining $81m.
Other notable crypto hacks that are said to be done by the Lazarus Group include the attack on Harmony’s horizon bridge that saw $100m stolen last year and the $650m exploit on Axie Infinity’s Ronin bridge.