Cyber Incident Victim: CoinEx

On September 12, 2023, cryptocurrency exchange CoinEx detected anomalous withdrawals from several hot wallet addresses used to store the platform’s exchange assets. The company promptly recognized the gravity of the situation and initiated an immediate investigation into the security incident. An investigative team discovered several unauthorized transactions involving Ethereum (ETH), TRON, and Polygon coins. The exchange publicly confirmed the security breach on the same day, stating that the incident involved a hack that resulted in the theft of millions of dollars worth of cryptocurrency. While CoinEx stated that the amount of losses was still being determined at the time of their announcement, external blockchain data collected by several cryptocurrency security firms provided an initial assessment of the stolen funds.

Blockchain security firm PeckShield analyzed the transactions and reported that approximately $31 million in various cryptocurrencies was drained from the CoinEx platform. Their analysis broke down the losses into specific amounts per blockchain: about $19 million worth of ETH, $11.5 million worth of TRON, and $295,000 worth of Polygon coins were stolen. In response to the incident, CoinEx took swift action to contain the threat and protect user assets. The company temporarily suspended all deposit and withdrawal services on the platform. This action was taken as a security precaution to allow for a thorough review of the system and to prevent any further unauthorized movement of funds.

CoinEx issued a public assurance to its users, stating that the stolen funds represented a very small portion of the platform’s total assets. The company explicitly guaranteed that all user assets remained secure and untouched by the breach. Furthermore, CoinEx pledged that all affected parties would receive 100% compensation for any losses incurred due to this security breach. The exchange committed to resuming deposit and withdrawal services only after completing a comprehensive security review. In a follow-up statement, CoinEx provided a key update on its containment efforts, announcing that it had successfully identified and isolated the suspicious wallet addresses linked to the hack.

The exchange publicly listed the Ethereum wallet addresses associated with the attacker, providing this information to the wider cryptocurrency community. The identified addresses included 0xce013682eddefaca8c94fe56a43a04212ebe4673, 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE, and 0xCC1AE485b617c59a7c577C02cd07078a2bcCE454. By isolating these addresses, CoinEx aimed to track the movement of the stolen assets and prevent the attacker from laundering the funds through their platform. The company also urged other cryptocurrency exchanges and platforms to monitor for and block any transaction activity associated with the provided addresses. This action was part of a broader industry effort to mitigate the impact of the theft and hinder the attacker's ability to profit from the incident.

The CoinEx hack occurred within a broader context of renewed attacks on cryptocurrency platforms throughout 2023. After a brief pause in attacks during early 2023, several platforms dealt with significant security incidents in the preceding months. Over the three months leading up to the CoinEx incident, Exactly Protocol, Harbor Protocol, and the Web3 programming language Vyper had all been exploited by hackers. Many of these recent attacks, including a $35 million hack of Atomic Wallet in June and a separate $100 million hack also attributed to Atomic Wallet, were publicly attributed to hackers connected to North Korea’s military. Other June attacks saw cybercriminals steal $60 million from Alphapo and $37 million from CoinsPaid.

North Korea’s Lazarus hacking group has been identified by cybersecurity researchers as one of the primary drivers behind these attacks on cryptocurrency platforms. The group has historically used billions of dollars in stolen digital assets to allegedly fund its nation's nuclear weapons program. The scale of these attacks has been significant, with blockchain research firm Chainalysis reporting that 2022 was a particularly successful year for hackers targeting cryptocurrency firms. In that year, approximately $3.8 billion was stolen from companies across the industry, which was an increase from the $3.3 billion stolen in 2021. The attack on CoinEx fits into this ongoing pattern of financially motivated cyberattacks targeting digital asset exchanges. CoinEx, a global exchange founded in 2017, stated that its priority remained the security and trust of its users throughout the response to this incident. The company expressed deep regret for any distress caused and assured users of its unwavering dedication to safeguarding their interests, pledging to eventually provide a comprehensive report on the incident.