Orbit Bridge Hacker Suspected in Coinspaid and Coinex Breaches

Hack Orbit Chain Security
Last updated:
Journalist
Journalist
Sead Fadilpašić
About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Ad DisclosureWe believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.
Source: AdobeStock / Tamara

Blockchain analysts from Match Systems have found that the Orbit Chain hackers used the same tactics as those in several other high-profile attacks – suggesting that a cybercrime organization, possibly the infamous Lazarus Group, stands behind these hacks.

This criminal group seems to have been busy last year. Cointelegraph cited a January 3, 2024, report by Match Systems, naming Coinspaid, Coinex, and Atomic Wallet among the group’s victims.

Per the report,

“[The analysis] gives reason to believe that the same criminal group may be involved in the hacking of the Orbit bridge, which in 2023 had previously committed several large hacks of the cryptocurrency services Atomic wallet, CoinsPaid, CoinEx, etc., using tools and patterns of the well-known Lazarus group.”

As the new year approached, hackers exploited Orbit Bridge, the cross-chain bridging service of a South Korean-based multi-asset Orbit Chain, making off with $82 million.

Read more: Are Hackers Two Steps Ahead of Security in a Cat-and-Mouse Game? Experts Answer

Common Threads

The analysts found that the hackers used Tornado Cash. They had gas funds from other accounts that withdrew them from the popular crypto mixer.

A mixer does ‘mixes’ different funds in order to obscure the trail leading back to the original sources. Therefore, hackers use it to mix their identifiable funds with others’ funds.

That said, Match System reportedly ‘de-mixed’ the funds using specialized software. It analyzed the “characteristics and patterns before and after the Tornado.cash mixer, considering transaction volumes and dates/times, as well as other specialized methods.”

What the team discovered was a group of addresses. One of them used the SWFT protocol to transfer funds to other addresses. The protocol was also used in the DFX Finance, Deribit, and AscendEX attacks.

Following the Oribit attack, a portion of the funds sent through SWFT traveled through a number of chains, gathering in a Tron wallet. It was then transferred to an exchange and cashed out.

Another common factor, the analysts argue, is that the attackers used Avalanche Bridge and Sinbad in the Orbit attack and several earlier attacks.

Per the team,

“[These are] tools and patterns of the well-known Lazarus group.”

Read more:Blockchain Association Sues OFAC Over Sanctions on Tornado Cash

Lazarus was Responsible for a Fifth of Total Losses in 2023

The North Korea-affiliated hacker group Lazarus was responsible for $308.6 million stolen in 2023, the major bug bounty and security services platform Immunefi found. This is a whopping 17% of the total year losses.

The group was allegedly behind the high-profile attacks on Atomic WalletCoinExAlphapoStakeCoinsPaid, and the massive Ronin Network attack, resulting in a $625 million loss.

Source: Immunefi

The Immunefi team recently published a report focusing specifically on the Lazarus Group. It found that, between 2021 and 2023, the group stole $1,903,600,000 across the Web3 ecosystem.

In December, Immunefi CEO Mitchell Amador commented that,

“As we approach 2024, their escalating sophistication is concerning. Their proficiency in exploiting infrastructure vulnerabilities, smart contract weaknesses, as well as their meticulous social engineering operations, underscores their emergence as perhaps the most pressing threat to web3 today.”

Read more:Record Losses in Web3 May Be Coming as Crypto Prices Rise: Immunefi

More Articles

Blockchain News
Martial Law Chaos: South Korea Pauses ‘All’ Work on Crypto Legislation
Tim Alper
Tim Alper
2024-12-10 23:30:00
DeFi News
Celsius Exec Sentencing Delayed as Alex Mashinsky Strikes Deal with US Prosecutors
Hassan Shittu
Hassan Shittu
2024-12-10 22:03:15
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors