TechFlow news, during its analysis, SlowMist discovered that the CoinEx hacker might be the North Korean hacking group Lazarus Group. The specific connections are as follows:
-
1. The known Alphapo exploiter (TDrs...WVjr) exchanged TRX for ETH via TransitSwap and bridged to the address (0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d). Therefore, this address on the Ethereum chain is also labeled as the Alphapo Exploiter;
-
2. The hacker address 0x22be3b0a943b1bc0ea3aec2cb3ef511f3920a98d is labeled as the Alphapo Exploiter on the Ethereum chain and as the Stake.com Exploiter on the BSC chain, indicating this address is shared;
-
3. Address 0x75497999432B8701330fB68058bd21918C02Ac59 is labeled as the CoinEx Exploiter on the ARB and OP chains and as the Stake.com Exploiter on the Polygon chain, indicating this address is shared.
Since the Stake.com Exploiter has already been linked by the FBI to the North Korean hacking group Lazarus Group, the Alphapo Exploiter, Stake.com Exploiter, and CoinEx Exploiter may all belong to the North Korean hacking group Lazarus Group.




