Blockchain surveillance firm Elliptic published a report Friday detailing the exploits of notorious North Korean hacking group Lazarus, which has been “ramping up” activity in recent months.
The organization has been linked to five major crypto hacks over the past three months. The latest, according to blockchain data, was the global cryptocurrency exchange CoinEx, which was hacked earlier this week for a now estimated $54 million. All in all, Elliptic estimates that North Korea’s Lazarus is responsible for the theft of almost $240 million in crypto in just the past 104 days alone.
“Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from the Drake-backed crypto casio Stake.com, albeit on a different blockchain,” wrote Elliptic. The FBI said last week that Lazarus was responsible for stealing $41 million in cryptocurrency from Stake.
Elliptic’s findings today corroborate those of on-chain sleuth ZachXBT, who on Wednesday said on Twitter that the CoinEx hacker had “accidentally connect their address” to the Stake hack.
It appears North Korea is also responsible for the $54M @coinexcom hack from yesterday after they accidentally connected their address to the $41M Stake hack on OP & Polygon.
— ZachXBT (@zachxbt) September 13, 2023
The hacker then moved stolen funds to Ethereum using a bridge previously used by Lazarus, before transferring them to a wallet address known to be controlled by the hacker. A substantial portion of funds originated from the Tron and Polygon blockchains.
According to Elliptic, Lazarus hackers also mixed funds with addresses that were seen during the Stake hack and used an address that was involved in the $100 million Atomic wallet hack in June.
“In light of this blockchain activity, and in the absence of information suggesting the CoinEx hack was conducted by any other threat group, Elliptic agrees that Lazarus Group should be suspected for the theft of funds from CoinEx,” researchers at the analytic firm said.
Other hacks in which Lazarus has been recently implicated include the crypto payments platform CoinsPaid in late June, and the crypto payment provider Alphapo in July. Elliptic noted that the group appears to be re-targeting centralized platforms as opposed to decentralized ones, possibly due to social engineering attacks being more feasible against such targets.
CoinEx put out an open letter to hackers on Friday requesting that they contact the company either via email or over the blockchain to negotiate a bug bounty and return of funds.