North Korea’s Lazarus Group Has Stolen $240M in Crypto in Just 104 Days: Elliptic

Blockchain sur­veil­lance firm Ellip­tic pub­lished a report Fri­day detail­ing the exploits of noto­ri­ous North Kore­an hack­ing group Lazarus, which has been “ramp­ing up” activ­i­ty in recent months.

The orga­ni­za­tion has been linked to five major cryp­to hacks over the past three months. The lat­est, accord­ing to blockchain data, was the glob­al cryp­tocur­ren­cy exchange CoinEx, which was hacked ear­li­er this week for a now esti­mat­ed $54 mil­lion. All in all, Ellip­tic esti­mates that North Kore­a’s Lazarus is respon­si­ble for the theft of almost $240 mil­lion in cryp­to in just the past 104 days alone.

“Ellip­tic analy­sis con­firms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to laun­der funds stolen from the Drake-backed cryp­to casio Stake.com, albeit on a dif­fer­ent blockchain,” wrote Ellip­tic. The FBI said last week that Lazarus was respon­si­ble for steal­ing $41 mil­lion in cryp­tocur­ren­cy from Stake.

Ellip­tic’s find­ings today cor­rob­o­rate those of on-chain sleuth ZachXBT, who on Wednes­day said on Twit­ter that the CoinEx hack­er had “acci­den­tal­ly con­nect their address” to the Stake hack.

The hack­er then moved stolen funds to Ethereum using a bridge pre­vi­ous­ly used by Lazarus, before trans­fer­ring them to a wal­let address known to be con­trolled by the hack­er. A sub­stan­tial por­tion of funds orig­i­nat­ed from the Tron and Poly­gon blockchains.

Accord­ing to Ellip­tic, Lazarus hack­ers also mixed funds with address­es that were seen dur­ing the Stake hack and used an address that was involved in the $100 mil­lion Atom­ic wal­let hack in June.

“In light of this blockchain activ­i­ty, and in the absence of infor­ma­tion sug­gest­ing the CoinEx hack was con­duct­ed by any oth­er threat group, Ellip­tic agrees that Lazarus Group should be sus­pect­ed for the theft of funds from CoinEx,” researchers at the ana­lyt­ic firm said.

Oth­er hacks in which Lazarus has been recent­ly impli­cat­ed include the cryp­to pay­ments plat­form Coin­sPaid in late June, and the cryp­to pay­ment provider Alphapo in July. Ellip­tic not­ed that the group appears to be re-tar­get­ing cen­tral­ized plat­forms as opposed to decen­tral­ized ones, pos­si­bly due to social engi­neer­ing attacks being more fea­si­ble against such targets.

CoinEx put out an open let­ter to hack­ers on Fri­day request­ing that they con­tact the com­pa­ny either via email or over the blockchain to nego­ti­ate a bug boun­ty and return of funds.