CoinEx

CoinEx Hack — September 12, 2023

What Happened

On September 12, 2023, the CoinEx centralized exchange suffered a security breach resulting in the unauthorized withdrawal of $55M+ from its hot wallets. Cold wallets remained secure.

Root Cause: Hot Wallet Private Key Compromise

• Attackers gained control of CoinEx hot wallet private keys

• Method not publicly disclosed but consistent with social engineering / spear-phishing pattern used by Lazarus

• Multi-chain drain: ETH, BSC, TRON

Attribution: Lazarus Group (DPRK)

Identified by SlowMist and on-chain investigator ZachXBT through:

• Address overlap with the Stake.com hack ($41M, September 4, 2023, FBI-attributed to Lazarus)

• Address overlap with prior Optimism Lazarus-linked operations

• Distinctive fund-laundering pattern (Tornado Cash + cross-chain bridging via THORChain)

Response

• CoinEx suspended deposits and withdrawals

• Shut down hot wallet server, transferred remaining assets to secure cold storage

• Pledged full reimbursement to affected users from company funds

• Resumed operations within ~2 weeks

Significance

• Part of a 2023 string of Lazarus attacks on crypto custodians (Stake, CoinEx, Atomic Wallet earlier that year)

• Reinforced concern about North Korean state-sponsored crypto theft funding weapons programs

• Total Lazarus 2023 take estimated at $1B+

References

• https://cointelegraph.com/news/coinex-north-korea-s-lazarus-group-responsible-for-55-m-coin-ex-hack-report

• https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics

• https://www.theblock.co/post/250691/north-korean-lazarus-group-likely-behind-coinexs-55-million-hack-zachxbt

• https://www.scorechain.com/blog/north-korean-lazarus-group-behind-over-55m-coinex-hack