North Korean Lazarus Group suspected of being behind $120 million hack of Poloniex

There was another major stock market hack: around $120 million in numerous coins and tokens were stolen from the US exchange Poloniex. We summarize what we know so far about the hack – and who is suspected as the perpetrator.

On November 10th, crypto exchange Poloniex published one of those news that no exchange ever wants to publish: the company admitted that it had been hacked.

A hacker managed to gain access to the exchange’s hot wallets and withdraw cryptocurrencies on multiple blockchains. The value of the stolen coins is not entirely clear, some reporters say $114 million, others $125 million.

The security service providers PeckShield and Cyvers had publicly reported the hack on the morning of November 10th, and Poloniex announced shortly afterwards that it would be shutting down the wallets “for maintenance reasons”. Shortly thereafter, Justin Sun, the owner or majority shareholder of the exchange, confirmed the hack.

In the dry announcement, Poloniex then admits to having been hacked. However, the exchange assures its customers that the financial situation remains healthy. The extent of the losses is controllable and the stock exchange can cover the damage. However, Poloniex remained tight-lipped about any further information.

But several analysts did not skimp on details. We therefore know that the damage occurred primarily on the Ethereum ($56 million), Tron ($48 million) and Bitcoin (18 million) blockchains, but also on smaller blockchains. In particular, dollar-based stablecoins such as USDT or USDC, Ether and Bitcoin were stolen, but also coins such as Dogecoin Mars, Shiba Ina, OX, Golem (GLM) and numerous other small tokens. Because of the large number of tokens on multiple blockchains, the exact damage of the hack is difficult to quantify.

Justin Sun publicly asked the hacker to return the coins within a week, otherwise the police would be called in. Meanwhile, the hacker made numerous exchanges and transfers to keep the coins and tokens safe from access.

Apparently the hacker’s Tron address was frozen shortly afterwards. It is not entirely clear whether this happened onchain, for example through an agreement between the stakers, or offchain, on an exchange. At this point there was only $6.5 million left on the address. Other addresses – such as on exchanges – or balances – such as stablecoins or other tokens – may also have been frozen. At least that’s what a tweet from Justin Sun suggests, but without going into details.

Analysts suspect the cause of the hack X-explore in a private key leak. The analysts name the Lazarus Group from North Korea as a possible perpetrator, as some patterns correspond to the hack on Stake.com, which, according to the FBI, was carried out by Lazarus. In both cases, different tokens are stored on different addresses, then transferred to intermediate addresses and from there exchanged for the native currencies (ETH, TRX).

The Lazarus hacker group is believed to be operating in the service of the North Korean government. She was behind several large waves of ransomware and hacks on exchanges. According to security authorities, the loot is also used to finance North Korea’s nuclear weapons program.