Blockchain analysts suspect North Korea-linked hackers behind $70 million crypto theft

Blockchain researchers say North Korea-linked hackers are likely behind a $70 million theft from crypto exchange CoinEx.

CoinEx, which says it is based in Hong Kong, said on Tuesday on social media platform X, formerly known as Twitter, that wallets used to store the exchange’s crypto assets had been hacked. It said on Friday it estimates its losses at $70 million, which it said is a “small portion” of its total assets.

Blockchain research firm Elliptic said that “a number of factors” indicate that the Lazarus Group – a hacker group associated with North Korea – was responsible for the attack.

CoinEx has not said who it believes was behind the attack, although it has told Reuters it is aware that some security firms have claimed cyber-espionage teams linked to North Korea were to blame.

“The hacker’s identity remains under investigation,” CoinEx told Reuters via email early on Friday. CoinEx did not respond to a Reuters comment request sent via email later on Friday, outside of Hong Kong hours, about Elliptic’s research, which was published in a blog post.

Elliptic said that some of the funds stolen from CoinEx were sent to a crypto wallet address which had previously been used by the Lazarus Group to launder stolen funds. The funds were also sent to the Ethereum blockchain using a blockchain “bridge” – a way of transferring funds between different blockchains – which had also previously been used by the Lazarus Group.

North Korea’s mission to the United Nations in New York did not respond to a Reuters comment request sent via email.

Another blockchain research firm, Chainalysis, told Reuters on Thursday it had “medium-high confidence” that North Korea was behind the attack.

Elliptic said the Lazarus Group “appears to have recently ramped up its operations”, stealing around $240 million worth of crypto assets in four separate attacks since the beginning of June, in addition to the CoinEx attack.

North Korea stepped up its cryptocurrency theft last year, using sophisticated techniques to steal more in 2022 than any other year, according to a United Nations report. Sanctions monitors have previously accused North Korea of using cyberattacks to help fund its nuclear and missile programs.

North Korea has previously denied allegations of hacking or other cyberattacks.