Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.
Tapioca DAO exploited for most of its assets — over $4 million
The defi lending protocol Tapioca DAO was exploited after an attacker reportedly socially engineered the DAO's co-founder and gain access to their private key. The attacker then used their access to sell off TAP tokens, and to drain a stablecoin liquidity pool on the platform, netting around $4.4 million in USDC and ETH. The TAP token price subsequently crashed by around 96%.
Cosmos founder reveals a portion of the protocol was created by North Korean developers
Cosmos creator Jae Kwon has raised concerns about a portion of the Cosmos protocol called the "Liquid Staking Module" after learning it was developed by North Korean agents. Although a contributor to the protocol, Zaki Manian, learned of the developers' links to North Korea after contact from the FBI in March 2023, Kwon claims that Manian ignored known flaws in their code, failed to fully audit their code, and did not report the issue to the project team or the Cosmos community. According to Kwon, the code contained a vulnerability that would allow stakers to avoid having their stakes slashed, which "contradicts the fundamental principles of staking security."
Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.
- "On the LSM Module", All In Bits
North Korean developers steal $1.3 million from crypto project treasury
According to blockchain investigator zachxbt, North Korean developers using fake identities were able to steal $1.3 million from a cryptocurrency project after pushing malicious code.
zachxbt traced the payment addresses for roughly 21 developers involved in this kind of activity, which he found had been working for at least 25 different cryptocurrency projects. They had earned around $375,000 over the past month.
WazirX exchange hacked for $235 million
After a $230 million "suspicious transfer", Indian cryptocurrency exchange WazirX has paused withdrawals and acknowledged that one of their multisignature wallets was compromised. The attacker began selling off the tokens, causing the price of tokens like Shiba Inu to drop around 10%.
WazirX is the largest cryptocurrency exchange in India. The company was acquired by Binance in 2019, but the two companies re-separated in 2023 after a bizarre public dispute.
WazirX's June 2024 proof-of-reserves reported around $500 million in total holdings, making the $235 million theft a substantial portion of the assets held at the exchange.
Blockchain sleuth zachxbt observed that the theft had some of the hallmarks of the Lazarus Group, a North Korean hacking group that has perpetrated other 9-figure heists including the $625 million Axie Infinity theft in March 2022, and the theft of more than $100 million from Atomic Wallet users.
Japanese crypto exchange DMM Bitcoin loses $308 million
A Japanese cryptocurrency exchange called DMM Bitcoin has announced that they suffered an "unauthorized leak" of 4,502.9 bitcoin (~$308 million) from a company wallet. They've provided very little in additional details around how the loss occurred, or who may have been involved. They have taken some of their services offline as they investigate the incident.
The company claims it will replace the lost funds with help from other companies in their group.
This is one of the largest cryptocurrency thefts in recent history, rivaling the roughly $320 million theft from the Wormhole bridge in February 2022 and the $477 million theft from FTX in November 2022.
The DMM hack was later attributed to a North Korean state-sponsored cybercrime group.
$2 million stolen from ALEX's XLink bridge by bumbling exploiter
An attacker tried to pull off what could have been a ~$12 million heist from ALEX Lab's XLink bridge after a private key was compromised. However, the sloppy work by the attacker enabled an apparent whitehat hacker to step in.
The attacker was successfully able to transfer around 13.8 million STX (~$2 million) on the Stack BTC layer-2 chain. However, their attempts to steal assets notionally worth around $4.3 million from the project's BNB Chain implementation failed when they upgraded the project contract to a malicious version, but failed to prevent other people from calling the withdraw function. The attacker's first transactions to withdraw the funds themself failed, and an apparent whitehat hacker was able to step in and complete the withdrawal ahead of the exploiter. They later negotiated a deal for the funds' return, after offering a 10% "bounty".
The exploiter had also tried, and failed, to steal assets notionally worth around $5 million on the Ethereum blockchain, but failed to do so. ALEX Lab later announced they were able to recover or secure around $4.5 million of those assets. ALEX also later announced that they believed the attackers were part of the North Korean Lazarus Group.
CoinEx hacked for $70 million
Various blockchain watchers noticed suspicious transfers from a hot wallet known to belong to the CoinEx cryptocurrency exchange. CoinEx later confirmed a "security incident" involving "unauthorized transactions", and disclosed that around $70 million was stolen. Outside researchers have suggested that the thieves appear to be a part of the North Korean state-sponsored hacking group, Lazarus.
CoinEx is based out of Hong Kong, and was recently forced to stop serving US customers as part of a settlement with the New York Attorney General which also required them to pay a $1.7 million fine.
Crypto casino Stake hacked for over $40 million
Attackers managed to make transactions from hot wallets operated by the Stake betting platform, stealing approximately $15.7 million from their Ethereum wallet and around $25.6 million from BSC and Polygon. Blockchain analysis project Cyvers attributed the theft to a private key leak, though Stake co-founder Edward Craven later denied that. Craven claimed that the attack was achieved through a "sophisticated breach" targeting a service the company uses to approve transactions.
Stake acknowledged the attack on their Twitter account, writing that "We are investigating and will get the wallets up as soon as they're completely re-secured."
Stake is an Australia-based cryptocurrency casino and sports betting platform that has enjoyed endorsements from various celebrities, and which shelled out $100 million in 2022 for an endorsement deal with Drake.
On September 6, the FBI announced that they believed the Lazarus Group was behind the theft. Lazarus is a group of North Korean state-sponsored hackers allegedly responsible for crypto hacks totaling hundreds of millions of dollars.
CoinsPaid hacked for $37.3 million
The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".
After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.
Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.
Atomic Wallet hacks total over $100 million
Multiple users of the Atomic Wallet software suffered wallet compromises totaling more than $100 million in a spate of hacks suggesting an issue with the wallet itself. Atomic Wallet is a self-custody wallet, a suggested safer alternative than storing crypto assets in accounts controlled by third party companies. In February 2022, a security firm was forced to publicly disclose issues with the Atomic Wallet software after attempting to address them with the company via traditional routes, but went ignored.
Following the thefts, Atomic Wallet tweeted that they were aware of the reports of wallet compromises, and that they were attempting to learn more about the attacks, but had not yet confirmed any method of attack. They've since taken down the wallet software download page, likely out of concern that the software itself has been compromised.
Crypto sleuth zachxbt compiled a list of reported compromised Atomic Wallets, finding that multiple individuals lost multiple millions in the attack. The largest known individual theft so far involved almost $8 million in USDT (Tether); other individuals lost $2.8 million in USDT and 1,897 ETH (~$3.5 million).
Users of Atomic Wallet have been advised to transfer their assets to other wallets.
On June 6, both zachxbt and blockchain research group Elliptic speculated that the laundering strategy by the thieves resembled that of the North Korea-linked Lazarus Group, which has been responsible for other major crypto thefts.