Orbit Bridge Hacker Suspected in Coinspaid and Coinex Breaches

Last updated: January 4, 2024 06:21 EST . 2 min read

Disclosure: Crypto is a high-risk asset class. This article is provided for informational purposes and does not constitute investment advice. By using this website, you agree to our terms and conditions. We may utilise affiliate links within our content, and receive commission.Source: AdobeStock / TamaraBlockchain analysts from Match s have found that the Orbit Chain hackers used the same tactics as those in several other high-profile attacks – suggesting that a cybercrime organization, possibly the infamous Lazarus Group, stands behind these hacks.

This criminal group seems to have been busy last year. Cointelegraph cited a January 3, 2024, report by Match s, naming Coinspaid, Coinex, and Atomic Wallet among the group’s victims.

Per the report,

“[The analysis] gives reason to believe that the same criminal group may be involved in the hacking of the Orbit bridge, which in 2023 had previously committed several large hacks of the cryptocurrency services Atomic wallet, CoinsPaid, CoinEx, etc., using tools and patterns of the well-known Lazarus group.”

As the new year approached, hackers exploited Orbit Bridge, the cross-chain bridging service of a South Korean-based multi-asset Orbit Chain, making off with $82 million.

Read more: Are Hackers Two Steps Ahead of Security in a Cat-and-Mouse Game? Experts Answer

Common Threads

The analysts found that the hackers used Tornado Cash. They had gas funds from other accounts that withdrew them from the popular crypto mixer.

A mixer does ‘mixes’ different funds in order to obscure the trail leading back to the original sources. Therefore, hackers use it to mix their identifiable funds with others’ funds.

That said, Match reportedly ‘de-mixed’ the funds using specialized software. It analyzed the “characteristics and patterns before and after the Tornado.cash mixer, considering transaction volumes and dates/times, as well as other specialized methods.”

What the team discovered was a group of addresses. One of them used the SWFT protocol to transfer funds to other addresses. The protocol was also used in the DFX Finance, Deribit, and AscendEX attacks.

Following the Oribit attack, a portion of the funds sent through SWFT traveled through a number of chains, gathering in a Tron wallet. It was then transferred to an exchange and cashed out.

Another common factor, the analysts argue, is that the attackers used Avalanche Bridge and Sinbad in the Orbit attack and several earlier attacks.

Per the team,

“[These are] tools and patterns of the well-known Lazarus group.”

Read more: Blockchain Association Sues OFAC Over Sanctions on Tornado Cash

Lazarus was Responsible for a Fifth of Total Losses in 2023

The North Korea-affiliated hacker group Lazarus was responsible for $308.6 million stolen in 2023, the major bug bounty and security services platform Immunefi found. This is a whopping 17% of the total year losses.

The group was allegedly behind the high-profile attacks on Atomic Wallet, CoinEx, Alphapo, Stake, CoinsPaid, and the massive Ronin Network attack, resulting in a $625 million loss.

Source: ImmunefiThe Immunefi team recently published a report focusing specifically on the Lazarus Group. It found that, between 2021 and 2023, the group stole $1,903,600,000 across the Web3 eco.

In December, Immunefi CEO Mitchell Amador commented that,

“As we approach 2024, their escalating sophistication is concerning. Their proficiency in exploiting infrastructure vulnerabilities, smart contract weaknesses, as well as their meticulous social engineering operations, underscores their emergence as perhaps the most pressing threat to web3 today.”

Read more: Record Losses in Web3 May Be Coming as Crypto Prices Rise: Immunefi