Lazarus Strikes Again: Fifth Major Crypto Attack Targets CoinEx in 2023

Category: Threat Actor Activity | Industry: Financial | Source: Elliptic

Escalated cyberattacks in the cryptocurrency sector by the North Korean threat group, Lazarus, have raised suspicions of their involvement in a fifth major attack, targeting CoinEx on September 12th, 2023. Researchers from Elliptic analyzed Lazarus' campaigns with their attribution to four crypto entities since June 3rd, 2023 which includes the theft of nearly "$240 million in crypto assets from Atomic Wallet ($100m) CoinsPaid ($37.3M), Alphapo ($60M), and Stake.com ($41M)."

Elliptic's analysis reveals that some of the stolen funds from CoinEx were funneled through a process commonly used by Lazarus to launder stolen assets from previous attacks, solidifying suspicions of their involvement in this breach. For example, Elliptic "confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain. Following this, the funds were bridged to Ethereum, using a bridge previously used by Lazarus, and then sent back to an address known to be controlled by the CoinEx hacker. Elliptic has observed this mixing of funds from separate hacks before from Lazarus, most recently when funds stolen from Stake.com overlapped with funds stolen from Atomic Wallet."

From comparing Lazarus' hacks in 2022 to 2023, Elliptic identified a shift in Lazarus's focus from decentralized to centralized crypto services. This is evident from their recent attacks targeting centralized virtual asset service providers. This shift could be attributed to improved security measures in the decentralized sector and the susceptibility of centralized exchanges to social engineering attacks due to their larger workforces and centralized IT systems.