CoinEx Heist: Unmasking North Korean Cyber Operatives in $54M Blockchain Raid

On the fateful Tuesday, malevolent actors seized the opportunity to breach the security of a cryptocurrency exchange's hot wallet, which was designated for safeguarding users' tokens.

In a revelation stemming from the meticulous investigations of blockchain expert ZachXBT, corroborated by Bitsday, the breach in the crypto business's security appears to be linked to North Korean hackers involved in a recent crypto exploit.

Initially estimated at $27 million, the breach at CoinEx exchange eventually spiraled to a staggering $54 million in value of tokens pilfered from the platform. This startling revelation unfolded in tandem with the emergence of details regarding numerous affected wallets throughout the course of Wednesday.

#CoinExResponseUpdate - We've identified the 3rd series of suspicious wallet addresses linked to the hack:

We are working nonstop to track down the hackers' addresses. Here are the recently identified addresses:$BSC:
*0xC844F7178379782eC19F3EE6E399f2EB7b2b984F$ARB:…

— CoinEx Global (@coinexcom) September 13, 2023

The attackers set their sights on an array of tokens, comprising ether (ETH), XRP, tron's TRX, MATIC, solana's SOL, kadena's KDA, and dagger's XDAG. They capitalized on a vulnerability within the exchange's wallet security protocols. CoinEx promptly divulged over ten "suspicious" addresses spanning various networks such as Ethereum, BNB Chain, and Arbitrum, providing a trail for the traced purloined tokens.

Examination of these wallets conducted by the esteemed blockchain analyst ZachXBT unveiled that certain transactions were redirected into wallets that were linked to a $41 million exploit on the crypto betting platform Stake earlier in the same month. These wallets bear connections to the Lazarus group, a notorious hacking syndicate hailing from North Korea, recognized for their focus on targeting crypto-centric enterprises.

It appears North Korea is also responsible for the $54M @coinexcom hack from yesterday after they accidentally connected their address to the $41M Stake hack on OP & Polygon.

0x75497999432b8701330fb68058bd21918c02ac59 pic.twitter.com/9qZPdc3yhT

— ZachXBT (@zachxbt) September 13, 2023

Furthermore, one specific address seemed to have directly received funding from the Stake attacker earlier in the week, subsequently followed by an influx of tokens from the CoinEx breach.

Meanwhile, on Wednesday, CoinEx sought to reassure its user base, asserting that the impacted funds constituted a relatively modest fraction of the aggregate user holdings. They emphasized that all remaining assets within the exchange remained under tight security.

Data points affirm that the CoinEx, registered in Samoa, oversaw trades surpassing $22 million, encompassing a substantial array of 730 available trading pairs, within the preceding 24-hour timeframe.