EXCLUSIVE: Hackers are selling discounted tokens tied to CoinEx and Stake ScrgruppEn

Blockchain Analytics investigators have discovered a person linked to a cryptocurrency laundering operation offering stolen tokens at discounted prices from recent high-profile exchange hacks.

Speaking exclusively to Cointelegraph, a representative from blockchain security firm Match Systems explained how investigations into several major breaches featuring similar methods during the summer months of 2023 pointed to an individual allegedly selling stolen cryptocurrency tokens via peer-to-peer transfers.

RELATED: CoinEx Hack: Hack of Private Keys Leads to $70 Million Theft

Investigators were able to identify and contact a person on Telegram offering the stolen assets. The team confirmed that the user was controlling an address containing over $6 million in cryptocurrencies after receiving a small transaction from the corresponding address.

A message from the seller announcing that the stolen tokens are being linked to CoinEx and Stake hacks. Source: Match Systems

The exchange of the stolen assets was then carried out through a specially created Telegram bot, which offered a 3% discount from the market price of the token. After initial conversations, the address owner reported that the initial assets on offer had been sold and that new tokens would be available in about three weeks:

“By maintaining our contact, this person informed us of the start of new asset sales. Based on the available information, it is reasonable to assume that these are funds from CoinEx or Stake companies.”

The Match Systems team was unable to fully identify the individual, but has narrowed down their location to the European time zone based on several screenshots they received and the timing of the conversations:

“We believe he is not part of the core team but is associated with them, and his anonymity may have been revoked as a guarantee that he would not misuse the delegated assets.”

The person also reportedly displayed “unstable” and “erratic” behavior during various interactions, abruptly leaving conversations with excuses such as “Sorry, I have to go; my mom is inviting me to dinner.”

“Normally, he offers a 3% discount. Previously, when we first identified him, he would send 3.14 TRX as a form of proof to potential customers.”

Match Systems told Cointelegraph that the individual accepted Bitcoin (BTC) as payment for the discounted stolen tokens, and had previously sold $6 million worth of Tron (TRX) tokens. The latest offering from a Telegram user listed $50 million worth of TRX, Ether (ETH) and Binance Smart Chain (BSC) tokens.

Blockchain security firm Cirtec previously explained the movement of funds stolen from the stake theft in correspondence with Cointelegraph, where approximately $4.8 million of the $41 million total was laundered through various token movements and cross-chain swaps.

The FBI later determined North Korean Lazarus Group hackers are the culprits in the Stake attack, while cybersecurity firm SlowMist has also linked the $55 million CoinEx hack to the North Korean group.

This contradicts slightly with information obtained by Cointelegraph from Match Systems which suggests that the perpetrators of the CoinEx and Stake hacks had slightly different identifiers in methodology.

Their analysis highlights that previous money laundering efforts by the Lazarus Group did not involve the Commonwealth of Independent States (Commonwealth of Independent States) countries such as Russia and Ukraine while the summer 2023 hacks saw stolen funds actively laundered in these jurisdictions.

RELATED: $41M stake hack was carried out by North Korean group: FBI

The Lazarus hackers left a minimal digital footprint behind, while recent events have left plenty of breadcrumbs for investigators. Social engineering was also identified as a major attack vector in the summer hacks while the Lazarus group targeted “mathematics vulnerabilities.”

Finally, the company notes that the Lazarus hackers typically used Tornado Cash to launder stolen cryptocurrencies, while recent incidents have seen funds commingled through protocols such as Sinbad and Wasabi. The main similarities remain significant. All of these hacks used BTC wallets as the primary repository for stolen assets as well as Avalanche Bridge and mixers to launder the tokens.

Blockchain data audited at the end of September 2023 indicates that North Korean hackers have stolen an estimated $47 million in cryptocurrencies this year, including $42.5 million in Bitcoin and $1.9 million in Ethereum.

Journal: Blockchain Investigators: The collapse of Mount Gox marked the birth of Chainalysis

Latest news about Bitcoin, Ethereum, Blockchain, Altcoin, Litecoin, Ripple, Mining, Policy and Regulations, Cryptocurrency prices, and Technology

Related Articles

Back to top button