Lazarus, a North Korean hacking group, has recently stolen approximately $240 million in cryptocurrencies within the past 104 days. This information was revealed in a report by blockchain surveillance firm Elliptic, which identified Lazarus as the responsible party behind a series of major cryptocurrency hacks. The group’s activity has significantly intensified in recent months.
The most recent attack linked to Lazarus targeted the global cryptocurrency exchange CoinEx, resulting in an estimated loss of $54 million. Elliptic’s analysis unveiled that the stolen funds from CoinEx were sent to an address previously associated with the Lazarus group for laundering funds stolen from the crypto casino Stake.com, although on a different blockchain. The FBI has previously attributed Lazarus to the theft of $41 million from Stake.
Elliptic’s findings align with those of on-chain investigator ZachXBT, who pointed out on Twitter that the CoinEx hacker accidentally connected their address to the Stake hack. Subsequently, the hacker moved the stolen funds to Ethereum using a bridge previously used by Lazarus, and then transferred them to a wallet address under the hacker’s control. A significant portion of the stolen funds originated from the Tron and Polygon blockchains.
Furthermore, Elliptic discovered that Lazarus hackers mixed the funds with addresses associated with the Stake hack and utilized an address involved in the $100 million Atomic wallet hack in June. Based on the blockchain activity and the absence of evidence pointing to any other threat group, Elliptic concluded that the most likely culprit behind the CoinEx theft is the Lazarus Group.
Recent investigations have also connected Lazarus to additional hacks, including those targeting the crypto payments platform CoinsPaid in late June and the crypto payment provider Alphapo in July. Elliptic observed a shift in Lazarus’ focus towards centralized platforms rather than decentralized ones, possibly because social engineering attacks are more feasible against such targets.
In response to the attack, CoinEx released an open letter to the hackers, urging them to contact the company via email or through the blockchain to discuss a bug bounty and the return of the stolen funds. According to a report from Web3 bug bounty platform Immunefi, Web3 platforms have lost over $1.2 billion in hacks and rug pulls this year. The report identified 211 separate incidents contributing to this total, with $23.4 million in losses recorded in August alone.
Most of the surge in losses during August occurred within projects hosted on the newly launched Ethereum Layer 2 Base network. Ethereum faced the highest number of attacks, with five distinct incidents affecting protocols built on the network.