Hackers selling discount tokens related to CoinEx, Stake hacks
Blockchain analytics investigators have found an individual linked to a cryptocurrency laundering operation that offers discounted tokens stolen from recent high-profile exchange hacks.
Speaking exclusively to Cointelegraph, a representative from blockchain security firm Matcha Systems pointed out how an investigation into several major breaches in the summer of 2023 revealed similar tactics involving the sale of stolen cryptocurrency tokens through peer-to-peer transfers.
Related: CoinEx hack: Hacked private keys lead to $70M theft
The detectives were able to identify the individual who was delivering the stolen property via telegram. The team confirmed that the user controlled an address containing more than $6 million worth of cryptocurrencies after receiving a small transaction from the associated address.
The exchange of looted assets was then carried out through a special Telegram bot, which resulted in a 3% discount from the token's market value. After initial talks, the owner of the address reported that the first properties on offer had been sold and new signs would be available three weeks later:
“In keeping with our relationship, this individual informed us of the initiation of a new property sale. Based on the information available, it is reasonable to assume that these are funds from CoinEx or Stake companies.
The Associated Systems team was unable to fully identify the individual, but based on the numerous screenshots and chat sessions they received, they narrowed down their location to the European time zone.
“He is not part of the original group but we believe he is associated with them, perhaps withheld to avoid misuse of delegated property.”
The person has shown unstable and erratic behavior during various interactions and suddenly says, “I'm sorry, I have to go;” It has been reported that he left the talks on the pretexts. My mother calls me for dinner.
“He typically offers a 3% discount. Previously, when we first featured him, he was sending 3.14 TRX to customers as proof.”
Match Systems told Cointelegraph that the individual accepted Bitcoin (BTC) as payment for discounted stolen tokens and previously sold $6 million worth of Tron (TRX) tokens. The latest Telegram user listed $50 million worth of TRX, Ether (ETH) and BNB (BNB) tokens.
Blockchain security firm CertiK previously disclosed in correspondence with Cointelegraph the movement of funds stolen from the Stake heist, with around $4.8 million of the total $41 million being loaded through various token movements and cross-chain exchanges.
The U.S. Federal Bureau of Investigation later identified hackers from North Korea's Alazarus group as the perpetrators of the steak attack, while cybersecurity firm SlowMist linked the $55 million Synx hack to the North Korean group.
This somewhat contradicts data obtained by Cointelegraph from Match Systems, which suggests that the perpetrators of the CoinEx and Stake hacks had slightly different accounts in their strategy.
Their analysis shows that previous Lazarus Group counterfeiting efforts have not included Commonwealth of Independent States countries such as Russia and Ukraine, and that the summer of 2023 saw stolen funds actively deployed in these jurisdictions.
RELATED: $41M Stock Heist In North Korea Group: FBI
Lazarus hackers left minimal digital traces, but recent events have left plenty of breadcrumbs for investigators. Social engineering was identified as a key attack vector in the summer hack, while Lazarus Group targeted “accounting vulnerabilities.”
Finally, Lazarus notes that hackers use Tornado Cash to disguise stolen crypto, with recent cases of funds being mixed with protocols such as Sinbad and Wasabi. These hacks used BTC wallets as the primary storage for stolen assets, as well as Avalanche Bridge and Mixer for token mining.
As of mid-September, groups linked to North Korea had stolen a total of $340.4 million in crypto by 2023, according to Chainalysis.
Magazine: Blockchain Investigators: M. Gox's Collapse Begat Chinaliss
