{"id":84448,"date":"2023-09-13T16:03:02","date_gmt":"2023-09-13T13:03:02","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=84448"},"modified":"2025-09-12T17:25:17","modified_gmt":"2025-09-12T14:25:17","slug":"experts-suspect-lazarus-group-hackers-of-coinex-breach-worth-55-million","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/experts-suspect-lazarus-group-hackers-of-coinex-breach-worth-55-million\/","title":{"rendered":"Experts suspect Lazarus Group hackers of CoinEx breach worth $55 million"},"content":{"rendered":"<p>SlowMist specialists speculated that the CoinEx exchange exploit may be carried out by hackers from the North Korea-backed Lazarus Group.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-lang=\\\"en\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">?SlowMist Security Alert?<\/p>\n<p>1\/ <a href=\\\"https:\/\/twitter.com\/coinexcom?ref_src=twsrc%5Etfw\\\">@coinexcom<\/a> Exploiter, <a href=\\\"https:\/\/twitter.com\/Stake?ref_src=twsrc%5Etfw\\\">@Stake<\/a> Exploiter and <a href=\\\"https:\/\/twitter.com\/hashtag\/Alphapo?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Alphapo<\/a> Exploiter may all have ties to the North Korean Hackers known as <a href=\\\"https:\/\/twitter.com\/hashtag\/LazarusGroup?src=hash&#038;ref_src=twsrc%5Etfw\\\">#LazarusGroup<\/a>. <\/p>\n<p>Here\u2019s how we came to that conclusion: <a href=\\\"https:\/\/t.co\/IGNldb2ZZJ\\\">https:\/\/t.co\/IGNldb2ZZJ<\/a> <a href=\\\"https:\/\/t.co\/SLGzSgbCis\\\">pic.twitter.com\/SLGzSgbCis<\/a><\/p>\n<p>\u2014 SlowMist (@SlowMist_Team) <a href=\\\"https:\/\/twitter.com\/SlowMist_Team\/status\/1701919426009035190?ref_src=twsrc%5Etfw\\\">September 13, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>On 12 September the CoinEx platform <a href=\"https:\/\/forklog.com\/en\/news\/coinex-confirms-hack-of-hot-wallets\">confirmed<\/a> an unauthorized outflow of assets from hot wallets, which earlier <a href=\"https:\/\/forklog.com\/en\/news\/peckshield-analysts-detect-a-suspicious-outflow-of-funds-from-coinex\">PeckShield researchers pointed to<\/a>. The team paused deposits and withdrawals, launched an investigation and pledged 100% compensation to victims.<\/p>\n<p>SlowMist analyzed addresses associated with the CoinEx breach and found the estimated loss to be about $55.5 million.<\/p>\n<p>During the investigation they noted that some hacker wallets are marked as linked to recent attacks on the crypto payments provider Alphapo (<a href=\"https:\/\/forklog.com\/en\/news\/alphapo-hack-losses-estimated-at-60-million\">losses up to $60 million<\/a>) and the betting platform <a href=\"https:\/\/forklog.com\/en\/news\/unknown-actor-withdrew-more-than-40-million-from-stake-wallet\">Stake<\/a> (~$41 million).<\/p>\n<p>For example, funds from CoinEx breach and Stake were sent to an address on Polygon. An Ethereum wallet, labeled as belonging to the Alphapo exploiter, was involved in swaps of assets stolen from the payment provider and the betting platform.<\/p>\n<p>Given that the <span data-descr=\\\"FBI\\\" class=\\\"old_tooltip\\\">FBI<\/span> has previously <a href=\"https:\/\/forklog.com\/en\/news\/lazarus-hackers-blamed-for-stake-breach-worth-41-million\">linked the attack on Stake to the Lazarus Group<\/a>, it is quite likely that the North Korean hackers are behind all three incidents, experts said.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\" data-lang=\\\"en\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">5\/ Given that the FBI has previously linked the Stake Exploiter to the North Korean hackers Lazarus Group, it is plausible that all three exploiters \u2014 Alphapo, CoinEx, and Stake \u2014 may be associated with this group. <a href=\\\"https:\/\/t.co\/6GpKmXZemh\\\">pic.twitter.com\/6GpKmXZemh<\/a><\/p>\n<p>\u2014 SlowMist (@SlowMist_Team) <a href=\\\"https:\/\/twitter.com\/SlowMist_Team\/status\/1701919437744640220?ref_src=twsrc%5Etfw\\\">September 13, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>Earlier in 2023, the North Korea-backed hackers <a href=\"https:\/\/forklog.com\/en\/news\/north-korean-hackers-stole-more-than-180-million-in-cryptocurrencies-in-six-months\">stole $180 million<\/a> in cryptocurrencies.<\/p>\n<p>The total industry losses from their actions have reached <a href=\"https:\/\/forklog.com\/en\/news\/north-korea-earmarked-half-of-the-3-billion-stolen-in-crypto-hacks-for-its-nuclear-program\">$3 billion<\/a>. Half of this sum funded a programme to develop ballistic missiles.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SlowMist specialists speculated that Lazarus Group, a North Korea-backed hacking group, may be behind the CoinEx breach.<\/p>\n","protected":false},"author":1,"featured_media":84449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1425,44,1125,1202],"class_list":["post-84448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-coinex","tag-cybercrime","tag-lazarus","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"32","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=84448"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84448\/revisions"}],"predecessor-version":[{"id":84450,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84448\/revisions\/84450"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/84449"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=84448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=84448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=84448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}