On Tuesday, September 12, 2023, the cryptocurrency exchange CoinEx announced a security breach of its hot wallets on the official social media channel, pertaining to several alarms from blockchain sources.

Urgent Notice: Security Incident on CoinEx – Immediate Actions Underway

On September 12, 2023, our Risk Control System detected anomalous withdrawals from several hot wallet addresses used to store CoinEx’s exchange assets. Promptly recognizing the gravity of the situation, we…

— CoinEx Global (@coinexcom) September 12, 2023

The target company confirmed in the post that they are aware of unauthorized transactions involving several cryptocurrency coins and tokens, including but not limited to ETH, TRON, and MATIC. They further emphasized that their customer assets are untouched, promising full compensation to any parties impacted by this unfortunate event. 

CoinEx Overview

CoinEx, founded in December 2017, has since established itself as a prominent cryptocurrency exchange. The company expanded globally and currently boasts support for a vast array of cryptocurrencies and tokens, exceeding 700 in number. 

CoinEx has also earned a reputation for offering a wide suite of services, catering to various crypto needs, including:

• Dedicated Wallet Services
• Spot Trading
• Margin Trading
• Futures Trading
• Staking

CoinEx’s success can also be attributed to its proactive approach to security and transparency with its users. In a detailed article, CoinEx had previously outlined its intricate strategy toward combating vulnerabilities and adopting lessons learned from the mistakes of other platforms.

They recognize that many crypto exchange hacks occur due to vulnerabilities in risk management technology and defense systems and share how the exchange has invested in strengthening its risk management technology and defense mechanisms. This includes isolating cold wallets from hot wallets and implementing multi-signature protection.

For instance, CoinEx has partnered with cybersecurity experts at Hacken to conduct rigorous functionality tests, penetration tests, and pressure tests. Simultaneously, they have bolstered their security measures by launching a global bug bounty program in collaboration with SlowMist Technology. 

The Breach

On September 12, 2023, hackers revealed that the steps CoinEx took to secure its platform were inadequate. The attack vector utilized by the perpetrators behind the CoinEx incident is still under investigation. However, they managed to gain unauthorized access to the company’s hot wallets. This access enabled the hacker to carry out unauthorized transactions, resulting in the theft of approximately $70 million worth of various cryptocurrencies and tokens.

Hot wallets are wallets that retain an internet connection to function. Cryptocurrency service providers utilize them to provide fast services such as active trading. They are more vulnerable to attack than cold wallets, which, on the contrary, are not connected to the internet and are used to store long-term holdings.

Inside the attack

Using QLUE™, the cutting-edge blockchain investigation tool, our team at Blockchain Intelligence Group investigated the public CoinEx addresses to determine the amount of stolen funds and follow their path, constructing the insightful QLUE™ graph below. 

QLUE™ graph tracing the stolen funds from CoinEx wallets to the hacker wallets.

The QLUE™ graph reveals 12 addresses involved in consolidating the proceeds from the CoinEx hack. 

The graph displays only the transactions that occurred on the blockchains (ETH, BTC, Tron, XRP, XLM, BCH, BSC, LTC, DOGE, ETC). As more wallet addresses associated with CoinEx are divulged and more blockchains are investigated, the total amount of stolen funds may increase.

In the following hours, 5 of the addresses belonging to the hacker acted as intermediary addresses to multiple new addresses, transferring approximately $35.7 million in different cryptocurrency coins and tokens.

QLUE™ graph tracking the movement from the hacker wallets to new consolidation addresses

Connecting the Dots 

The intrigue deepens as we unveil a remarkable connection between the CoinEx Exchange hack and a previous cyberattack on Stake.com Exchange. Specifically, our analysis traced 180,000 MATIC (US $90,000) tokens, previously associated with the Lazarus Group’s attack on Stake.com, to a specific address on the Polygon blockchain, bearing the unique address 0x75497999432b8701330fb68058bd21918c02ac59.

This 0x75497999432b8701330fb68058bd21918c02ac59 address is far from ordinary. It actively participates in multiple blockchain networks, including Ethereum, Optimism, and Polygon. The reason behind this interconnectedness lies in the nature of Ethereum Virtual Machine (EVM)-compatible chains. An address on one EVM-compatible chain shares the same private key across all others, a key fact that lays the groundwork for the revelation that follows.

Custom-built QLUE™ graph illustrating the connection between Stake.com and CoinEx hacks

As we examine the flow of funds associated with this address. On September 13, 2023, the 0x75497999432b8701330fb68058bd21918c02ac59 address received a transfer of 11.4 ETH on the Optimism blockchain. These funds, as it turns out, were proceeds from the CoinEx Exchange hack. The same address proceeded to send 5 ETH to an identical address on the Ethereum blockchain, employing the Hop protocol.

Although yet to be officially announced, these intricate transactions leave little room for doubt that the North Korean Lazarus Group, already implicated in the Stake.com Exchange hack, is the culprit behind CoinEx’s breach.

CoinEx has taken a number of steps to respond to the hack. The exchange has suspended all withdrawals and deposits, and it is working with law enforcement to track down the hacker. CoinEx has also said that it will be compensating all affected users.

In addition, CoinEx has pledged to improve its security measures. The exchange says that it will be conducting a full security audit and that it will be implementing additional security measures to prevent future hacks.

North Korean Hackers’ Criminal Activities Net $400 Million in 2023

The evidence gathered by QLUE™ paints a clear picture of this malicious actor’s involvement in orchestrating not just one but numerous high-profile breaches of exchanges and cryptocurrency service providers, hurting the crypto industry for approximately $400 million in 2023.

Bill Callahan, Director of Government and Strategic Affairs for Blockchain Intelligence Group, comments:

“National Security and Law Enforcement personnel in the West should expect to see more attacks like this by the Lazarus Group as these attacks have been the primary funding source for North Korea’s nuclear proliferation efforts.  The recent meeting between North Korea’s Kim Jong Un and Russian President Vladimir Putin should raise the alarm for cyber security officials as North Korea seeks to obtain advanced space technology through an alliance with the Russians.  Investigators at all levels must be prepared to conduct investigations into the illicit movement of cryptocurrency and have tools such as QLUE™ at their immediate disposal.”

On March 23, 2023, Harmony’s Horizon Bridge encountered a security breach which has sent shockwaves through the cryptocurrency community. The FBI linked the hack to North Korean hackers, who stole approximately US$103.7 million worth of Ethereum and multiple tokens in 12 transactions.

In June, the same group was linked to the theft of more than $100 million from Atomic Wallet. Continuing their spree, on July 22, 2023, they launched an attack on CoinsPaid, another prominent cryptocurrency payment processor, stealing approximately $37 million in cryptocurrency assets.

One day later, on July 23, 2023, the notorious group targeted the cryptocurrency payment gateway Alphapo, another incident that multiplied that amount in losses, draining more than $60 million worth of crypto assets.

Finally, one week ago, on September 6, 2023, The FBI attributed the theft of $41 Million from Stake.com to the Lazarus Group as the culprit behind the incident. 

By empowering law enforcement investigators and professionals with advanced investigative tools like QLUE™ from Blockchain Intelligence Group play a pivotal role in ensuring that security breaches lead to the identification and prosecution of those responsible.

Book a demo to learn how QLUE™ can solve your most sophisticated crypto investigations swiftly and easily.