Slow Fog: CoinEx hacker may be linked to North Korean hacker group Lazarus Group, which has been associated with other attack incidents

ChainCatcher message, SlowMist found during the analysis of the CoinEx attack incident that the CoinEx hacker may be associated with the North Korean hacker group Lazarus Group, with specific connections as follows:

1. The known Alphapo Exploiter (TDrs…WVjr) exchanged TRX for ETH through TransitSwap and cross-chained to the address (0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d), thus this address is also marked as Alphapo Exploiter on Ethereum;

2. The hacker address 0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d is marked as Alphapo Exploiter on Ethereum and as Stake.com Exploiter on BNB Chain, indicating that this address is a shared address;

3. 0x75497999432B8701330fB68058bd21918C02Ac59 is marked as CoinEx Exploiter on Arbitrum and OP Mainnet, and as Stake.com Exploiter on Polygon, indicating that this address is a shared address.

Since the Stake.com Exploiter has been linked by the FBI to the North Korean hacker group Lazarus Group, it is possible that the Alphapo Exploiter, Stake.com Exploiter, and CoinEx Exploiter are all part of the North Korean hacker group Lazarus Group.