CoinEx Suffers $52.8 Million Security Breach Across Multiple Chains

Summary

On September 12, 2023, CoinEx, a crypto trading platform operating on various chains, experienced a massive security breach due to a private key compromise. The attacker exploited CoinEx’s hot wallets and extracted approximately $52.8 million worth of assets across 9 different chains. The stolen funds were transferred to the attacker’s addresses and then laundered via distribution between multiple addresses and smart contracts. Lazarus Group is suspected to be behind the theft, as multiple sources have confirmed an onchain connection between Stake.com, Atomic Wallet, and the CoinEx hacks.

Attackers

North Korean Lazarus Group is suspected to be behind the theft. The attackers used the following addresses to transfer the funds:

• Ethereum:     - 0xCC1AE485b617c59a7c577C02cd07078a2bcCE454     - 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE     - 0x483D88278Cbc0C9105c4807d558E06782AEFf584
• Binance Smart Chain:     - 0x6953704e753C6FD70Eb6B083313089e4FC258A20
• Polygon:     - 0x4515bE0067E60d8e49b2425D37e61c791C9B95e9
• Tron:     - TPFUjxQzG88Vwynrpj2W61ZAkQ9W2QYgAQ
• Solana:     - G3udanrxk8stVe8Se2zXmJ3QwU8GSFJMn28mTfn8t1kq
• Bitcoin:     - 1BHNb9UJy4cWFB5wywZkTVgoNB4JbFmswH
• Bitcoin Cash:     - qrgxyhj8rzl4l7fgauu6q6vtu2grct4jeyrnaq2s75
• Ripple:     - rpQxVcjVF2fC23r3xKyJS53jw8d5SRhZQf
• XDAG:     - 15VY3MadZvLpXhjzFXwCUmtZcHszju6L9

The following address was used to consolidate funds from both Stake.com and CoinEx hacks:

• 0x75497999432b8701330fb68058bd21918c02ac59

Losses

CoinEx lost $52,847,077 in total across the following chains:

• $18,324,848 in Ethereum
• $6,286,018 in Binance Smart Chain
• $288,072 in Polygon
• $11,119,353 in Tron
• $2,496,432 in Solana
• $6,082,389 in Bitcoin
• $447,574 in Bitcoin Cash
• $6,113,201 in Ripple
• $1,689,190 in XDAG

Timeline

• September 12, 2023, 01:21 PM UTC: Funds were drained from CoinEx’s Ethereum hot wallet for 408,741 DAI
• September 12, 2023, 05:38 PM UTC: CoinEx has suspended services temporarily, and promises to compensate any losses.
• September 15, 2023: Elliptic Research, crypto security firm, published a post, with the proof of onchain relation between CoinEx and Stake.com hacks:

  Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus Group to launder funds stolen from Stake.com, albeit on a different blockchain.

• September 20, 2023, 09:17 AM UTC: CoinEx announced the resumption of deposit and withdrawal services on Sep 21, 2023 at 8:00 UTC.

Security Failure Causes

Compromised Private Key: The primary cause of the security breach was the compromise of the private key for CoinEx’s hot wallets. This allowed the attacker to gain unauthorized access to the funds and perform malicious transactions.

Social Engineering: The Lazarus Group’s attack methodology of choice is social engineering. The $540 million hack of Ronin Bridge, for example, was attributed to a fake LinkedIn job offer.