According to Foresight News, SlowMist discovered during the analysis of the CoinEx attack that the CoinEx hackers may be the North Korean hacker group Lazarus Group. The specific links are as follows:
1. The known Alphapo Exploiter (TDrs…WVjr) exchanged TRX for ETH through TransitSwap and cross-chained to the address (0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d), so the address was also marked as Alphapo Exploiter on Ethereum;
2. The hacker address 0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d is marked as Alphapo Exploiter on Ethereum and Stake.com Exploiter on BNB Chain, which means that the address is a shared address;
3. 0x75497999432B8701330fB68058bd21918C02Ac59 is marked as CoinEx Exploiter on Arbitrum and OP Mainnet, and as Stake.com Exploiter on Polygon, which means that the address is a shared address.
Since Stake.com Exploiter has been linked to the North Korean hacker group Lazarus Group by the FBI, Alphapo Exploiter, Stake.com Exploiter and CoinEx Exploiter may all be part of the North Korean hacker group Lazarus Group.
