An infamous threat group connected to the North Korean state has been blamed for a major attack on cryptocurrency exchange CoinEx on Tuesday.
The Hong Kong-headquartered exchange warned users in a post on X (formerly Twitter) on September 12 that it had “detected anomalous withdrawals from several hot wallet addresses used to store CoinEx’s exchange assets.”
After investigating, the firm said the cause of the incident had been a hot wallet private key that got into the wrong hands. Funds were withdrawn in nine cryptocurrencies, working out roughly to $53m.
CoinEx said it had suspended deposits and withdrawals of all crypto assets and temporarily shuttered its hot wallet server, as well as transferred remaining assets from the compromised wallet to safe addresses.
Read more on crypto heists: Lazarus Group Blamed for Atomic Wallet Heist
Blockchain investigators were quick to connected the attack with North Korea.
“It appears North Korea is also responsible for the $54M @coinexcom hack from yesterday after they accidentally connected their address to the $41M Stake hack on OP & Polygon,” said ZachXBT on X.
Crypto casino Stake lost an estimated $40m last week after attackers drained funds from its hot wallets. That follows previous raids this year attributed to Lazarus, including Atomic Wallet ($35m), Alphapo ($60m) and CoinsPaid ($37m).
This money is being used by the Kim Jong-un regime to fund its nuclear and missile programs. However, after a landmark meeting between Kim and Russian President Putin this week, it’s also possible that it could be used to indirectly fund the latter’s war in Ukraine.
In the meantime, CoinEx said it is rebuilding and redeploying its wallet system and contacting exchanges to freeze the assets of its attackers.
The firm has promised its users that its assets will not be affected by the heist, but warned them that it would take some time to get back to normal.
“For now, before the recovery is complete, we strongly advise you not to deposit to old addresses to avoid potential asset losses,” it said in an update this morning.