CoinEx Hackers Who Siphoned Over $54M In Funds Out Themselves By Making A Huge Mistake

The attack on the cryptocurrency exchange platform CoinEx which drained over $55 million in funds, was executed by the notorious cybercrime group Lazarus.

Just days after the U.S. Federal Bureau of Investigation (FBI) identified the North Korean-backed cybercrime team Lazarus as the hacking group responsible for the over $40 million heist of the crypto-betting platform Stake, blockchain security firm SlowMist and on-chain investigator ZachXBT confirmed that the same group was also behind the recent CoinEx hack.

In a Wednesday post on X, SlowMist said that the actors behind the recent CoinEx hack may have ties with Lazarus, based on its on-chain data analysis and tracking capability of the actors' wallet addresses.

While malicious actors moved the stolen funds through a myriad of networks, the blockchain security firm was able to pinpoint overlapping addresses consistent with the Stake, crypto payment platform Alphapo, and CoinEx hacks.

"Alphapo Exploiter (TDrs...WVjr) swapped TRX for ETH and bridged to the address (0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d) via TransitSwap, so the address(0x22b...98d) is tagged as Alphapo Exploiter on the ETH chain," SlowMist revealed.

"The exploiter(0x22b...98d) is tagged as Alphapo Exploiter on the ETH chain and is also tagged as Stake Exploiter on the BSC chain. This suggests that the address is being used for two exploits," it said in a follow-up post.

"The address(0x754...c59) is tagged as CoinEx Exploiter on the ARB and OP chains, and as Stake Exploiter on the Polygon chain. This suggests that the address is being used for two exploits," the security firm said.

"Given that the FBI has previously linked the Stake Exploiter to the North Korean hackers Lazarus Group, it is plausible that all three exploiters - Alphapo, CoinEx, and Stake - may be associated with this group," SlowMist said.

On-chain sleuth ZachXBT also made a similar discovery about the CoinEx hacker.

"It appears North Korea is also responsible for the $54M @coinexcom hack from yesterday after they accidentally connected their address to the $41M Stake hack on OP & Polygon," he said in a post.

SlowMist also conducted a "statistical analysis of the balance of the hacker's addresses" and revealed that "more hacker address balances were merged, and the total number of stolen funds was updated to ~$55.5M."

The multi-million dollar hack on CoinEx took place after the FBI identified Lazarus as the perpetrator behind the over $40 million Stak hack.

"The FBI has confirmed that this theft took place on or about September 4, 2023, and attributes it to the Lazarus Group (also known as APT38) which is comprised of DPRK cyber actors," the bureau said in a press release.

Following the hack, CoinEX assured its customers that their "assets are secure and untouched," adding that "affected parties will receive 100% compensation for any loss due to this breach."