Poloniex exchange hack likely linked to North Korea hacker Lazarus Group
- X-explore research speculates that attack on Poloniex exchange could be linked to North Korea hacker Lazarus Group.
- The attack is attributed to a leakage of private keys, akin to what the infamous hackers’ September attack on Stake.com, stealing $41 million.
- The normal withdrawal in Poloniex is the EIP-1559 type and now the attack transaction is in the Legacy type.
Poloniex centralized exchange, owned by Tron founder Justin Sun was exploited for about $125 million, with the controversial executive committing to making users 100% whole while putting out a 5% white hat bounty for the return of funds. As reported, the stolen assets were majorly distributed among ETH, BTC, and TRX together with other altcoins like FLOKI and AAVE, of low market capitalization.
Also Read: Justin Sun confirms Poloniex hack, assures users of 100% reimbursement
Poloniex attacks possibly identified
Poloniex exchange attackers could be the infamous Lazarus Group from North Korea, according to X-plore research, which tabulated addresses and balances related to the hacker. Based on the investigation, the researcher opines that the attack was facilitated by a leakage of the private key, noting that “The normal withdrawal in Poloniex is the EIP-1559 type and now the attack transaction is in the Legacy type.”
According to X-plore, this finding leads to the conclusion that the attack may have been the handiwork of North Korea’s notorious hackers, the Lazarus Group, basing their assumption on the fact that a similar tactic was used against Stake.com in September.
3. We think this attacker is Lazarus Group, who attacked https://t.co/bsZOzOhmvl on 2023/9/4. The attack behaviour is similar:
— X-explore (@x_explore_eth) November 10, 2023
a. Different tokens are saved at different addresses. It means each address only deals with one kind of token.
Specifically, the tactic is bi-factor, such that:
- Different tokens are saved at different addresses, meaning each address will only deal with one kind of token.
- A middle address is then used to swap the erc20/trc20 token on a decentralized exchange (DEX) and then transfer the ETH/TRX to the new address.
Stake.com attack by Lazarus Group
In a September report by the US Federal Bureau of Investigations (FBI), it was revealed that Lazarus Group executed a cyber-attack on an online casino and betting platform, Stake.com, stealing up to $41 million. The group is also called APT38, comprised of DPRK cyber actors according to the FBI.
In the attack, the exploiters moved stolen funds associated with the Ethereum, Binance Smart Chain (BSC), and Polygon networks from Stake.com into several virtual currency addresses.
Notably, if the perpetrator(s) is actually the Lazarus Group, then the chances of Sun’s 5% white hat bounty yielding fruit are slim to none, considering the Lazarus Group’s modus operandi.
Nevertheless, hope remains alive, considering Sun’s offer has yielded fruit only recently when HTX Global was hacked for $8 million.
Author
Lockridge Okoth
FXStreet
Lockridge is a believer in the transformative power of crypto and the blockchain industry.
