After suspicious outflows of $114 million, cryptocurrency exchange Poloniex has confirmed that it has been hacked. Poloniex investor Justin Sun offered a 5% white hacker bounty. However, the adversary seems to be the notorious Lazarus Group from North Korea.
The attack happened on November 10th, first observed by blockchain security firms PeckShield and Cyvers, which noticed multiple suspicious transactions from Poloniex’s hot wallet.
Suspicious addresses received massive sums and transferred all assets elsewhere, forcing Poloniex to disable all withdrawals.
Poloniex confirmed the hack, claiming that it has identified and frozen a portion of the assets associated with the hacker’s addresses.
“Losses are within manageable limits, and Poloniex’s operating revenue can cover these losses,” Poloniex’s post on X reads.
Before engaging law enforcement, Poloniex came up with a “white hat bounty” to the hacker, offering 5% for returning the funds and leaving seven days to consider.
According to blockchain researchers Spot On Chain, at least $114 million were drained from Poloniex wallets on Ethereum and Tron networks. Hacker has swapped various assets, including stablecoins. Poloniex lost $32.7 million in USDT stablecoins, 443 bitcoins (worth $16.5 million), $12.7 million in ETH.
“The hacker also wrongly sent 10.5M $GLM ($2.5M) to the token contract, essentially burning all the $GLM tokens,” researchers said in a tweet.
Meanwhile, Poloniex announced its team has restored the systems and preserved evidence.
“In the coming days, we will work diligently to gradually resume deposits and withdrawals, ensuring 100% security,” the post claims, thus angering some users.
One user on X responded: “100% security? Your user's funds are all stuck or lost on your exchange, and you’re still boasting 100% secured?”
Ranked by trading volume, Poloniex is now the 23rd largest crypto exchange, according to coinmarketcap.com.
Traces lead to North Korea
Market research platform X-explore attributed the recent cyber incident to the leakage of the private key, and the attack was likely carried out by the state-sponsored actor from North Korea, the Lazarus Group.
“We think this attacker is Lazarus Group, who attacked Stake.com on 2023/9/4. The attack behavior is similar: a. Different tokens are saved at different addresses. It means each address only deals with one kind of token. B. Use a middle address to swap erc20/trc20 token on dex and then transfer the ETH/TRX to the new address,” X-explore posted.
State-sponsored North Korean hackers are estimated to have stolen $1.7 billion in cryptocurrency last year alone.
It said that actors working for the Reconnaissance General Bureau, North Korea’s military intelligence agency, continued to use “increasingly sophisticated cybertechniques to steal funds and information.”
Lazarus Group is believed to be behind the California-based Harmony blockchain hack, the online gambling platform Stake.com breach, the crypto payments platform CoinsPaid cyberattack, and many others.
More from Cybernews:
Subscribe to our newsletter