Cybersecurity investigators at Cyvers have pointed fingers at the notorious Lazarus Group from North Korea in connection to the recent $44 million security breach impacting CoinDCX, a cryptocurrency exchange operating from India.
Deddy Lavid, the top executive at Cyvers, communicated in a statement released on July 21 to CryptoSlate, highlighting the similarities between the attack’s methodology and past incidents attributed to Lazarus. These tactics included utilizing cross-chain protocols and Tornado Cash, a crypto mixer, to obscure the movement of illicit funds – a strategy closely associated with the hacking collective.
North Korean Involvement Suspected
Lavid further asserted that the complexity of the breach targeting the centralized exchange, along with the attackers’ clear grasp of liquidity management, strongly suggests involvement of a highly skilled and well-organized cyber threat entity.
On July 19, the Indian cryptocurrency platform announced a security lapse after unauthorized actors gained control of internal exchange accounts responsible for liquidity provisions with another service.
Expanding on the method employed, Lavid theorized that the perpetrators likely exploited backend access through compromised API keys, faulty system configurations, or excessively broad credential permissions. Once within the system, the hackers leveraged legitimate account authority to transfer assets from Solana to Ethereum, subsequently employing Tornado Cash to conceal the digital trail of the stolen funds.
He elaborated:
“While the affected account was isolated from user wallets, its administrative rights were sufficient to enable substantial fund transfers without triggering immediate security protocols.”
Moreover, the sophisticated nature of the intrusion is typical of the North Korea-linked group, which remains a dominant force in the crypto-hacking landscape, persistently targeting the developing digital asset industry.
Significantly, the Lazarus Group reportedly obtained over $1.6 billion in illicit funds in the initial six months of the year and has been linked to the hack targeting Bybit.
Reward Program Introduced
In response to the security incident, CoinDCX unveiled a bounty program on July 21, offering a reward valued at up to 25% of the recovered funds. Depending on the recovery’s success, the bounty could reach as high as $11 million.
CoinDCX’s CEO, Sumit Gupta, explained that the program is designed to incentivize ethical hackers, security researchers, and blockchain specialists to aid in identifying and retrieving the stolen assets. He stated:
“Our primary objective goes beyond simply recovering the lost funds. It’s crucial that we identify and apprehend the individuals responsible, ensuring such incidents are prevented in the future, both for us and the wider cryptocurrency sector.”
Gupta also emphasized the company is covering the losses using its treasury reserves and reassured users that their individual funds were unaffected.