North Korean Hackers Suspected in $31 Million Cryptocurrency Theft from CoinEx Exchange

Experts at Elliptic, a cryptocurrency-tracking company, have identified North Korean hackers as the likely culprits behind the recent theft of $31 million in cryptocurrency from the CoinEx exchange.

Comparison with Previous Attacks

• Elliptic analysts compared the transactions involved in the CoinEx heist with previous attacks on Stake.com and Atomic Wallet.
• Both of these attacks were linked to the Lazarus Group, a North Korean government operation accused of funding illicit weapons programs.
• Elliptic confirmed that funds stolen from CoinEx were sent to an address previously used by the Lazarus Group to launder funds stolen from Stake.com.

Blockchain Activity

• The stolen CoinEx funds were traced through the Ethereum blockchain and eventually sent back to an address controlled by the hacker.
• Elliptic has observed similar mixing of funds from separate hacks by Lazarus in the past.
• Based on this blockchain activity and the absence of evidence pointing to another threat group, Elliptic agrees that Lazarus Group is the likely suspect in the CoinEx theft.

North Korean Cryptocurrency Theft

• The CoinEx theft is just a small part of the overall cryptocurrency thefts attributed to North Korea.
• According to Chainalysis, the value of stolen cryptocurrency associated with North Korea exceeds $340.4 million this year and was $1.65 billion in 2022.
• North Korean groups are increasingly using Russian-based exchanges to launder illicit crypto assets.

Focus on Centralized Platforms

• Lazarus Group has recently targeted centralized cryptocurrency platforms, with four out of five recent thefts attributed to them being centralized.
• Decentralized finance (DeFi) services are less vulnerable to Lazarus’ social-engineering attacks due to improved security and distributed authority.
• Centralized exchanges, on the other hand, have larger workforces and centralized IT services, making them more susceptible to social-engineering attacks.

By finding ways to obfuscate their actions, cybercriminals can try to evade detection in the publicly trackable blockchain transactions. However, the use of Russia-based exchanges by North Korean groups for money laundering has been identified by Chainalysis.

Overall, the evidence suggests that Lazarus Group, a North Korean government operation, is responsible for the theft of funds from CoinEx and other cryptocurrency platforms. The challenge for authorities and cybersecurity experts is to stay vigilant and continue tracking and preventing these cybercriminal activities.