Hacker hunting for code showing crypto theft by North Korean hackers

Crypto Sleuth Attributes the Alphopo Crypto Theft to North Korean Hackers, Raises the Amount Stolen to $60 Million

A blockchain sleuth has attributed the July 23 Alphapo crypto theft to state-affiliated North Korean hackers.

Crypto investigator ZachXBT also discovered an additional $37 million, bringing the crypto heist to $60 million, more than twice the amount officially reported ($23 million).

Alphapo is a payment processor offering crypto payments for gambling platforms such as Hypedrop, Ignition, and Bovada, gaming sites, and e-commerce stores.

Additional TRON and Bitcoin stolen in Alphapo crypto theft

Blockchain analysts have suggested that the alleged Alphapo crypto theft originated from a leak of private keys. During the incident, suspected North Korean hackers stole over 6 million USDT, 108,000 USDC, 100.2 million FTN, 430,000 TFL, 2,500 ETH, and 1,700 DAI.

The digital assets were drained from Alphapo hot wallets before they were swapped for ETH and then bridged to the Avalanche and Bitcoin blockchains and deposited in Sinbad, a crypto mixer popular with North Korean hackers.

Additionally, the suspected North Korean hackers stole $37 million of TRON and Bitcoin (BTC), pushing the total amount lost in the Alphopo hack to $60 million, according to ZachXBT.

Upon discovery, Alphapo transferred deposits and withdrawals to new addresses and imposed additional verifications on transactions on the old addresses. Despite the discovery, the total amount lost in the Alphapo crypto theft was still unknown and potentially larger than reported.

Alphapo crypto theft attributed to North Korean hackers

The on-chain sleuth attributed the crypto theft to North Korean hackers Lazarus Group with close ties to the Pyongyang government.

“This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain,” ZachXBT said.

So far, no cybersecurity company, blockchain analysis firm, or government agency has confirmed North Korea’s involvement in Alphapo crypto theft.

However, the North Korean hacker group was attributed to similar hacks, including the Atomic Wallet crypto theft ($35 million), the Harmony Bridge hack ($100 million), the Nomad hack ($190 million), and one of the biggest crypto thefts, the Axie Infinity crypto heist estimated at over $625 million.

According to blockchain analysis firm Ellipsis, the state-sponsored group has stolen over $1.2 billion between 2017 and 2022.

Lazarus targets crypto exchange platform employees with fake lucrative job adverts and convinces them to install malicious software that steals access keys.

In April 2022, the FBI, CISA, and the U.S. Treasury Department issued a joint Cybersecurity Advisory about the Lazarus targeting blockchain companies. The TraderTraitor malware campaign targeted “cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).”

The North Korean hackers employed spear-phishing tactics to trick cryptocurrency employees in system administration and DevOps into installing malware. The primary infection allows them to access the victims’ computers, propagate malware, steal security keys, and exploit other security vulnerabilities.

Similarly, the FBI and CISA warned about North Korean hackers deploying AppleJeus malware disguised as trading platforms to compromise cryptocurrency exchanges and financial services companies in 2021.

According to the United Nations, crypto theft is an “important revenue source” for North Korea’s ballistic missile programs.