Alex Lab, a Bitcoin-based DeFi protocol, revealed new details about the hack it suffered in May. The project announced it had potentially identified the attacker with the help of a blockchain sleuth while the police continued to investigate the incident.
DeFi Protocol Loses Millions To Phishing Attack
On May 15, the Alex Lab Foundation fell victim to an exploit that took millions in users’ funds. The DeFi protocol unveiled that the attacker obtained private keys via a phishing attack, granting them full access to the funds.
The attacker used the compromised keys to access one of the vaults associated with the Alex Liquidity Pool, which compromised all assets in the vault.
The affected asset list includes aBTC, sUSDT, XBTC, xUSD, ALEX, atALEX, LiSTX, SKO, CHAX, $B20, ORDG, ORMM, ORNJ, TRIO, TX20, and STXS. Nonetheless, the project stated that its underlying smart contract code and infrastructure had not been compromised.
After taking over as the administrator, the attacker drained around 13.7 million Stacks (STX), 3 million of which they sent to several centralized exchanges (CEXs). Per the report, the exploiters sent STX to Binance, Kraken, OKX, Bybit, Kucoin, and other exchanges.
By May 16, the DeFi Project had recovered most of the affected assets. Additionally, it revealed to be monitoring the exploiter’s wallets and to have notified the involved CEXs.
Alex Lab also stated that a portion of the stolen funds, worth around $4 million, were in the process of being recovered from one of the centralized exchanges. However, the protocol explained that there were no guarantees that all stolen funds could be retrieved.
Lazarus Group Linked To The Attack
On June 17, Alex Lab updated investors on the status of the incident. After failing to contact the exploiter, the DeFi protocol continued to track down the stolen assets.
As a result, the team found that the hacker had broadcasted nearly 10,000 transactions in a month. Per the post, the attacker generated hundreds of new addresses to disperse the on-chain STX tokens. After sending the balance to the new wallets, the tokens were transferred to CEXs in smaller amounts.
The number of wallets related to the exploit increases exponentially daily “without sign of pause.” Last week, 8.3 million STX, worth around $14 million, had been deposited to CEXs. Meanwhile, approximately 5.5 million STX remained on-chain.
On June 24, Alex Lab detailed crucial new findings in the ongoing investigation. According to the DeFi protocol, they had potentially identified its attackers.
Seemingly, some of the exploit addresses have been linked back to the North Korean hacking group Lazarus Group. The forensic analysis, assisted by crypto detective ZachXBT, revealed “substantial transaction evidence linking the attack to the Lazarus Group.”
The initial exploit address where the funds were originally sent transferred funds to a second address, which seems connected to the North Korean hacking group. The transaction history shows that the second address “used a known Lazarus TRON address.”
The Foundation explained they had facilitated contact between the CEXs and the Singapore Police Force. Lastly, they stated they are collaborating with cybersecurity experts to “address the implications of this attack and to recover the lost assets.”
