North Korean hackers are suspected of stealing roughly $53 million worth of cryptocurrency from crypto exchange CoinEx, after a private key was leaked.
The incident was identified on September 12, when the exchange observed “anomalous withdrawals from several hot wallet addresses” in which CoinEx was temporarily storing user assets.
“It is currently preliminarily determined that the cause of the incident was the leakage of the hot wallet private key,” the company explains in an incident notification.
Immediately after identifying the attack, the exchange transferred the remaining assets in the targeted hot wallets to cold storage, suspended all deposit and withdrawal services, and shut down the hot wallet server.
CoinEx says it has started rebuilding and redeploying the wallet system and that deposit and withdrawal services will resume incrementally.
The exchange has published a list of suspicious cryptocurrency addresses involved in the attack, urging relevant project teams and fellow exchanges to help it in freezing the attackers’ funds.
“We are actively collaborating with the affected crypto projects to formulate a solution. Furthermore, we urge crypto projects and our fellow crypto exchanges to remain vigilant. If you detect any unusual or related activities from the aforementioned wallet addresses, please contact us immediately,” the exchange said on social media.
While CoinEx did not share details on the stolen amounts, organizations tracking the involved crypto addresses have determined that roughly $53 million in Bitcoin, Ethereum, Smart Chain Coin, TRON, and other cryptocurrency was stolen in the heist.
Web3 security firm CertiK notes that at least $377 million worth of cryptocurrency have been stolen this year as result of private key compromises, and says that North Korea-linked hacking group Lazarus is the culprit.
The security firm has identified a connection between the recent Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx heists, all of which were the result of private key leakage, and all seemingly the work of Lazarus.
“Historical data, including the Ronin Bridge and CoinsPaid exploits, pinpoints the Lazarus Group’s modus operandi: spear-phishing targeting Web3 company personnel to hijack sensitive credentials. Employees in the Web3 sphere need to be acutely vigilant of unsolicited job pitches, especially those boasting overly lucrative compensation packages,” CertiK notes.