A hack of crypto exchange CoinEx’s hot wallets has led to a loss of about $70 million in assorted asset types. The data breach was reportedly caused by compromised private keys and some independent security analysts have noted clues that point to North Korea’s Lazarus group, though CoinEx’s team may have a different read on the situation as the exchange is offering the culprits a “bug bounty” for return of the funds.
Crypto exchange reserve assets hit, user accounts not compromised
The funds stolen from the crypto exchange are entirely from CoinEx-owned hot wallets used as reserves; platform users are not impacted. Though there is no indication at present that this will be an issue, any users that suffer a loss due to the data breach will be “100% compensated” according to a CoinEx statement.
The data breach began on September 12, with several thousand dollars worth of ETH being extracted. This gradually led to extraction of over $20 million ETH, $10 million TRON, and $6 million in both BSC and Bitcoin among other asset types. The crypto exchange had a total of about $115 million on hand in these hot wallets, and the remaining funds were transferred to cold wallets for safekeeping.
CoinEx has not yet released much in the way of detail about the data breach, but has promised a full report at some point in the near future. The company issued a statement, most recently updated on September 15, that indicates an investigation is ongoing. Crypto exchange services, including deposits and withdrawals, were temporarily shut down as the wallet system was rebuilt. Services are being incrementally re-introduced as the rebuild, which includes some 211 chains and 737 coins, continues. CoinEx is also contacting other crypto exchanges to request that they freeze stolen assets.
In addition to the lack of detail about the data breach, CoinEx has yet to provide any information about a possible culprit. But some independent security researchers have noted that one of the wallets used to receive stolen funds was used in a previous theft by North Korea’s Lazarus group. The state-backed hacking team now has a long reputation of raiding crypto exchanges as a source of funding for the “hermit kingdom’s” heavily sanctioned government, and has used very sophisticated methods to do so.
The only element thus far that throws some doubt on the Lazarus theory is that the crypto exchange has offered a bug bounty reward for return of the stolen funds. If Lazarus really is involved, it is extremely unlikely it would respond to this. CoinEx might be seeing something internally that points in another direction, or it may simply be a desperation play that doesn’t have any up-front cost.
Data breach lines up with string of Lazarus thefts
The pattern certainly fits with the Lazarus approach of roughly the last two years, as the group has been on a spree of attacking crypto exchanges and generally finds ways to get hold of private keys during its adventures. The group’s initial approach is usually to spearphish a target that has some sort of public profile it can draw useful information from, and these attacks have been extremely creative at times; during the Ronin Bridge data breach, they contacted an engineer via LinkedIn with a fake job opportunity and went through several interview steps.
The group began making news for its large and brazen thefts in early 2022, but is also thought to be responsible for a recent string of crypto exchange attacks that unfolded over the summer: this included $60 million from Alphapo, $41 million from Stake.com, $37 million from CoinsPaid, $35 million from Atomic Wallet, along with some smaller data breaches. In the CoinsPaid heist, Lazarus successfully returned to its fake job interview approach to compromise an employee.
If Lazarus is indeed behind the CoinEx data breach, it is probably not going to be interested in the offer of a “generous bug bounty” that the crypto exchange announced over the weekend. The platform’s standard program only offers a maximum of $10,000, but CoinEx has invited the hackers to negotiate for presumably a much larger amount.
CoinEx had not previously been hacked, and even made its data breach record the subject of a self-promotional blog post not long ago. The crypto exchange was founded in 2017 by Haipo Yang, who also founded mining pool ViaBTC and has been incarcerated by the Chinese government at least twice since 2018. The arrests were for reasons that remain undisclosed, but that are possibly related to the Cyberspace Administration of China’s new (and much more stringent) regulations for blockchain firms and overseas financial offerings that were introduced at about the time of his first disappearance.