Lazarus Group Potentially Linked to Orbit Bridge and Other Major Crypto Heists of 2023
Summary:
The blockchain analysis firm, Match Systems suspects that the perpetrator behind the $81.5 million theft from Orbit bridge in 2023 could also be responsible for other major cryptocurrency service breaches, including Coinspaid, Coinex, and Atomic Wallet. The links were established based on common patterns and tools used in the attacks, commonly associated with the notorious Lazarus cybercriminal group. The firm used specialized software to track activities and revealed potential sources of the stolen funds, tracing them to certain addresses linked to the SWFT protocol and a number of other chains, and ultimately to a single Tron wallet used for cashing out the funds. The hacks may all be tied to a single criminal enterprise operating within the Commonwealth of Independent States region.
The individual responsible for the siphoning of $81.5 million from Orbit bridge is suspected of involvement in numerous additional crypto heists throughout 2023. These include major attacks on Coinspaid, Coinex, and Atomic Wallet, as noted in a January 3 document from blockchain experts, Match Systems, viewed by Cointelegraph. The report alleges that their findings suggest a single criminal syndicate could be behind the Orbit bridge assault and other large scale cryptocurrency service breaches at Atomic Wallet, CoinsPaid, CoinEx, and more - they appear to employ techniques associated with the infamous Lazarus group. Match Systems endeavored to track the Orbit offender's blockchain actions and noticed the offender's account was initially loaded with gas money pulled from Tornado Cash affiliated accounts. This tactic, used to muddy the origin of funds, is a common strategem of cyber thieves. However, Match Systems assert they executed effective de-mixing operations to potentially expose these funds' inception. This involved the use of specific software to scrutinize characteristics and patterns before and after the use of the Tornado.cash mixer, taking into account transaction quantities and dates/times amongst other tailored methods. The de-mixing process unveiled a cluster of addresses. One used the SWFT protocol to move money to other addresses. Some of these SWFT-transferred amounts moved across various chains before landing in a singular Tron wallet. The funds were then transferred from the Tron wallet to an exchange for encashment. The geographical area and jurisdiction of the exchange remains indeterminate, though Match Systems provisionally suggests it might be located within the Commonwealth of Independent States (CIS) region. The SWFT protocol, according to Match Systems, was utilized in previous cyber breaches at DFX Finance, Deribit, and AscendEX. Further commonalities are observed in the usage of Avalanche Bridge and Sinbad in both the Orbit attack and previous incidents, thereby strengthening the notion of a single criminal group's involvement. Similar methodologies were employed in the 2023 hacks of Atomic Wallet and CoinsPaid, according to Match Systems, which indicates that this most recent breach may have been orchestrated by the same culprits. The notorious Lazarus group is also linked to the CoinEx hack.The alleged involvement of Lazarus, an infamous cybercrime outfit, in the 2023 Atomic Wallet and Coinspaid breaches, has been confirmed by the U.S. Federal Bureau of Investigation relying on behavioral data deciphered from blockchain information. The substantial breach of Orbit Bridge marked the final significant Web3 protocol exploit of 2023, taking place on the last day of the year.
Published At
1/3/2024 10:06:52 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.