{"id":75726,"date":"2023-03-17T12:35:50","date_gmt":"2023-03-17T10:35:50","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=75726"},"modified":"2025-09-10T13:16:46","modified_gmt":"2025-09-10T10:16:46","slug":"euler-finance-hacker-wallet-sent-100-eth-to-lazarus-group-address","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/euler-finance-hacker-wallet-sent-100-eth-to-lazarus-group-address\/","title":{"rendered":"Euler Finance hacker wallet sent 100 ETH to Lazarus Group address"},"content":{"rendered":"<p>The Euler Finance hacker wallet sent 100 ETH to the Lazarus Group address linked to <a href=\"https:\/\/forklog.com\/en\/news\/ronin-the-ethereum-sidechain-hacked-attacker-siphons-625-million\">attack on the Ronin network<\/a> in March 2022. Lookonchain experts said.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-lang=\\\"en\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Euler Finance Exploiter transferred 100 <a href=\\\"https:\/\/twitter.com\/search?q=%24ETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\\\">$ETH<\/a> to Ronin Bridge Exploiter(stole 173,600 <a href=\\\"https:\/\/twitter.com\/search?q=%24ETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\\\">$ETH<\/a> and 25.5M <a href=\\\"https:\/\/twitter.com\/search?q=%24USDC&#038;src=ctag&#038;ref_src=twsrc%5Etfw\\\">$USDC<\/a>).<\/p>\n<p>Ronin Bridge Exploiter was listed by <a href=\\\"https:\/\/twitter.com\/hashtag\/OFAC?src=hash&#038;ref_src=twsrc%5Etfw\\\">#OFAC<\/a> as Lazarus Group \u2013 the North Korean state hacking group.<\/p>\n<p>Are the two hackers the same person or was it intentional? <a href=\\\"https:\/\/t.co\/aPzOkSlXb6\\\">pic.twitter.com\/aPzOkSlXb6<\/a><\/p>\n<p>\u2014 Lookonchain (@lookonchain) <a href=\\\"https:\/\/twitter.com\/lookonchain\/status\/1636586003174678528?ref_src=twsrc%5Etfw\\\">March 17, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>In April 2022, the U.S. Treasury&#8217;s Office of Foreign Assets Control added the hacker group, reportedly linked to the North Korean government, <a href=\"https:\/\/forklog.com\/en\/news\/ethereum-address-linked-to-lazarus-group-sanctioned-by-us-hackers-tied-to-ronin-attack\">to the sanctions list<\/a>. Chainalysis analysts confirmed that the address named by authorities was involved in the Ronin hack. The incident, with damages of about $625 million, was the largest for the DeFi sector.<\/p>\n<p>In June there was a <a href=\"https:\/\/forklog.com\/en\/news\/hacker-steals-about-100-million-in-harmonys-horizon-cross-chain-bridge-attack\">attack on the Horizon cross-chain bridge<\/a> of the Harmony protocol for $100 million. The <span data-descr=\\\"FBI\\\" class=\\\"old_tooltip\\\">FBI<\/span> <a href=\"https:\/\/forklog.com\/en\/news\/fbi-accuses-lazarus-group-and-apt38-of-hacking-the-horizon-cross-chain-bridge-on-the-harmony-protocol-for-100-million\">accused of the hack<\/a> North Korean groups Lazarus and APT38. Analysts at Elliptic had previously <a href=\"https:\/\/forklog.com\/en\/news\/elliptic-lazarus-hackers-may-be-behind-horizon-attack\">reached<\/a> the same conclusion.<\/p>\n<p>In March 2023, the attacker illicitly withdrew <a href=\"https:\/\/forklog.com\/en\/news\/euler-finance-hacked-for-196-million\">assets worth more than $196 million<\/a> from the Euler Finance DeFi platform.<\/p>\n<p>Lookonchain experts noted that the transaction between the exploit wallet and Lazarus does not necessarily indicate their identity. The hacker could have carried out the transfer deliberately to mislead investigators.\u00a0<\/p>\n<p>Euler Finance staff after the incident <a href=\"https:\/\/forklog.com\/en\/news\/euler-finance-team-blocks-vulnerable-module\">blocked the vulnerable EToken module<\/a>, reached out to law enforcement and to Chainalysis and TRM Labs for assistance in the investigation. The project demanded that the hacker <a href=\"https:\/\/forklog.com\/en\/news\/euler-finance-team-demands-hacker-return-90-of-stolen-funds\">return 90% of the stolen funds<\/a>. The company warned that, should this not happen, a reward of $1 million would be offered for any information leading to his arrest.\u00a0\u00a0<\/p>\n<p>A few hours after the proposal, the hacker <a href=\"https:\/\/forklog.com\/en\/news\/hacker-behind-euler-finance-breach-sent-2-5-million-to-tornado-cash\">sent cryptocurrency worth about $2.5 million<\/a> to the mixer <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a>. However, he responded to a request from one user to return the lost 78 ETH. The latter called the funds &#8216;vital savings&#8217;. In response, he <a href=\"https:\/\/forklog.com\/en\/news\/hacker-who-breached-euler-finance-has-returned-stolen-funds-to-user\">received 100 ETH<\/a>.<\/p>\n<p>The CEO of Euler Labs, Michael Bentley, described the days after the protocol&#8217;s exploit as &#8216;the hardest&#8217; of his life. He said he would &#8216;never forgive&#8217; the hacker for depriving him of time with his newborn son.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\" data-lang=\\\"en\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">The time immediately after an attack is crucial and I\u2019ve done everything I can to support the recovery process. I\u2019ve had to sacrifice time with my newborn son. I\u2019ll never forgive the attacker for that, but they can put things right and return funds to the EulerDAO Treasury ASAP.<\/p>\n<p>\u2014 Michael Bentley (@euler_mab) <a href=\\\"https:\/\/twitter.com\/euler_mab\/status\/1636411173460656128?ref_src=twsrc%5Etfw\\\">March 16, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>Bentley confirmed that the protocol\u2019s code has undergone ten audits over two years of operation. Experts Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica found no issues during their checks.<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>\u00abEuler \u0432\u0441\u0435\u0433\u0434\u0430 \u0431\u044b\u043b \u043f\u0440\u043e\u0435\u043a\u0442\u043e\u043c, \u043e\u0440\u0438\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u043d\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c\u00bb, \u2014 \u0437\u0430\u0432\u0435\u0440\u0438\u043b \u0433\u043b\u0430\u0432\u0430 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438.<\/p>\n<\/blockquote>\n<p>He reminded of the $1 million reward for information about the attacker.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-lang=\\\"en\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Today the Euler Foundation is launching a $1M reward in the hope that this provides additional incentive for information that leads to the Euler protocol attacker\u2019s arrest and the return of all funds extracted by the attacker.<\/p>\n<p>\u2014 Euler Labs (@eulerfinance) <a href=\\\"https:\/\/twitter.com\/eulerfinance\/status\/1636126837423366145?ref_src=twsrc%5Etfw\\\">March 15, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>In 2023 alone, Binance and Huobi froze and <a href=\"https:\/\/forklog.com\/en\/news\/binance-and-huobi-froze-2-58-million-in-btc-linked-to-the-harmony-one-hack\">restored access to $2.58 million<\/a> in Bitcoin linked to the Harmony hack. Norwegian authorities <a href=\"https:\/\/forklog.com\/en\/news\/norwegian-authorities-seize-5-9-million-stolen-from-axie-infinitys-ronin-sidechain\">seized $5.9 million<\/a> stolen from Ronin.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Euler Finance DeFi protocol hacker wallet sent 100 ETH to the Lazarus Group address linked to the Ronin network attack in March 2022. Lookonchain experts reported.<\/p>\n","protected":false},"author":1,"featured_media":75727,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1125],"class_list":["post-75726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-lazarus"],"aioseo_notices":[],"amp_enabled":true,"views":"16","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=75726"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75726\/revisions"}],"predecessor-version":[{"id":75728,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75726\/revisions\/75728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/75727"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=75726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=75726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=75726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}