North Korea's cybercriminal elite just pulled off another crypto heist—and they didn’t even bother changing their playbook.
Same exploit, new victim
The Lazarus Group, Pyongyang’s notorious hacking squad, drained $44M from Indian exchange CoinDCX using the exact same vulnerability they exploited in 2022’s WazirX attack. Forensic analysts spotted identical transaction patterns: fake KYC documents, spoofed IPs, and that telltale 72-hour withdrawal delay.
Security theater crumbles
While exchanges keep touting 'military-grade encryption,' Lazarus keeps bypassing it with social engineering 101. This time? A compromised admin account—no zero-day required. 'They’re not hacking blockchains,' notes Chainalysis’ lead investigator. 'They’re hacking compliance departments.'
The $44M question
CoinDCX claims user funds are safe (thanks to those generous insurance pools funded by... oh right, trader fees). Meanwhile, Lazarus launders the loot through DeFi mixers—because nothing says 'decentralized finance' like state-sponsored thieves using your liquidity pool as a car wash.
Another day, another nine-figure reminder that crypto’s biggest vulnerability still wears a tie.
Hackers Only Took 5 Min to Siphon Funds – Analysis
The cybersecurity team emphasised that the speed, precision, and cross-chain sophistication of this breach made it “alarming.”
The North Korean hacker group carefully planned a pre-attack setup from July 16, conducting a “test transaction” on 1 USDT.
“In just five minutes, 44 million USDT is siphoned out in rapid-fire bursts,” the analysts wrote, citing 7 separate transactions.
Hackers stole around $44.2M in USDC/USDT from one of the exchange’s operational wallets on Solana, Cyvers added.
Further, the Cyvers team stressed that the attacks on two distinct Indian crypto exchanges, WazirX and CoinDCX, “aren’t coincidences,” but “warnings.”
“If Lazarus is accelerating its focus on India’s largest exchanges, preemptive threat prevention isn’t optional,” cybersecurity experts noted. “It’s the only line of defense.”
CoinDCX Announces Recovery Bounty Program
The exchange has announced a recovery bounty program, where up to 25% of any recovered funds will be awarded to individuals or teams that help trace and retrieve the stolen crypto.
CoinDCX CEO Sumit Gupta took to X, stressing the need to identify and catch the attackers, more than recovering the stolen funds.
Announcing the @CoinDCX Recovery Bounty Program: Up to 25% of any recovered funds will be awarded to individuals or teams who can help trace and retrieve the stolen crypto.
Just to give more context:
-> We want to be upfront. The exposure was from our own reserves, and we have… https://t.co/GHHlxf3PxB
“Because such things shouldn’t happen again, not with us, not with anyone in the industry,” he wrote. “We will fight this and ensure that the Indian crypto community comes out of this stronger.”
Per the announcement, depending on the success of the assets recovery, the bounty could amount to as much as $11 million.
