The cryptocurrency security landscape took another severe hit in September 2023 when Hong Kong-based exchange CoinEx fell victim to a sophisticated cyberattack resulting in approximately $70 million in stolen digital assets. Blockchain analysts quickly pointed to North Korea’s notorious Lazarus Group as the primary suspect, marking yet another chapter in the state-sponsored cybercrime syndicate’s ongoing campaign against centralized crypto platforms.
The Exploit Mechanics
The CoinEx breach was discovered on September 12, 2023, when the exchange’s security team detected unauthorized withdrawals from its hot wallets. The attackers systematically drained multiple cryptocurrency pools, including Bitcoin, Ethereum, Tron, and various ERC-20 tokens, before the exchange could freeze affected wallets.
According to blockchain forensics firms, the attackers exploited compromised private keys — a hallmark of Lazarus Group operations. The stolen funds were quickly moved through a series of intermediate wallets and distributed across multiple blockchain networks in an effort to obscure the trail. Security researchers at SlowMist and Elliptic traced the movement of funds to wallets previously associated with North Korean cyber operations.
The attack vector bore striking similarities to other Lazarus Group campaigns observed throughout 2023. In each case, the group leveraged social engineering to gain initial access to exchange infrastructure, followed by lateral movement to compromise key management systems. Once private keys were obtained, the attackers executed rapid, automated withdrawals across multiple chains simultaneously.
Affected Systems
CoinEx’s hot wallet infrastructure was the primary target. The exchange confirmed that its cold storage systems remained secure throughout the incident, which limited the total damage. Affected assets included significant holdings of BTC, ETH, TRX, and various stablecoins. At the time of the breach, Bitcoin was trading at approximately $26,900, while Ethereum held near $1,670 — prices that contextualize the severity of the loss.
The breach was part of a broader Lazarus Group campaign throughout September 2023. Just days earlier, on September 6, the FBI attributed a $41 million theft from Stake.com to the same North Korean group. Combined with the CoinEx incident, Lazarus was responsible for over $110 million in crypto thefts in a single month, bringing their 2023 total to well over $200 million.
Other exchanges and platforms targeted by Lazarus in 2023 included Atomic Wallet ($100 million loss in June), Alphapo ($60 million in July), and CoinsPaid ($37 million in July). The escalating frequency and sophistication of these attacks underscored the persistent threat posed by state-sponsored cybercrime actors.
The Mitigation Strategy
CoinEx responded by immediately halting all deposits and withdrawals, initiating a comprehensive security audit, and engaging external cybersecurity firms to investigate the breach. The exchange pledged to cover 100% of user losses from its own reserves, a commitment that helped prevent a broader panic among its user base.
For the broader industry, the incident reinforced several critical mitigation strategies. First, exchanges must implement multi-signature key management systems that require multiple approvals for large withdrawals. Second, real-time transaction monitoring with anomaly detection can identify and halt suspicious withdrawals before funds leave the platform. Third, regular security audits by independent firms — particularly focusing on key management and access controls — remain essential.
Hardware security modules (HSMs) should be used to store private keys, with strict access policies that prevent any single individual from accessing complete key material. Additionally, time-lock mechanisms on large withdrawals can provide a window for manual review and intervention.
Lessons Learned
The CoinEx hack, viewed alongside the Stake.com and other September 2023 breaches, offers several important lessons for the cryptocurrency industry. Centralized exchanges remain the primary targets for sophisticated threat actors because they concentrate large volumes of assets in relatively accessible hot wallet systems. While cold storage provides robust protection for the majority of funds, the hot wallet infrastructure needed for daily operations creates an unavoidable attack surface.
The Lazarus Group’s continued success also highlights the need for improved cross-platform intelligence sharing. Blockchain analytics firms were able to trace the stolen funds quickly, but by the time the pattern was identified, significant portions had already been moved through decentralized exchanges and mixing services.
Regulatory frameworks mandating minimum security standards for cryptocurrency exchanges — including key management protocols, insurance requirements, and regular penetration testing — could significantly reduce the impact of such attacks. Several jurisdictions have begun implementing such requirements, but global coordination remains limited.
User Action Required
For individual cryptocurrency users, the CoinEx breach serves as a reminder of fundamental security practices. Users should never keep more funds on any single exchange than necessary for active trading. Hardware wallets provide the strongest protection for long-term holdings. Enabling two-factor authentication using hardware keys (not SMS-based 2FA) adds a critical layer of account security.
Users should also monitor their exchange accounts regularly for unauthorized activity and enable withdrawal whitelist features where available. In the event of a breach, acting quickly to withdraw remaining funds to a personal wallet can prevent further losses. The cryptocurrency community must continue advocating for stronger security standards across all centralized platforms.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about cryptocurrency storage or trading.
Lazarus group has stolen over $2B across all crypto hacks now. the DNC hack energy redirected at defi protocols
the DPRK crypto operation is genuinely sophisticated. dedicated teams rotating through exchanges looking for key management flaws
DNC hack energy redirected at defi. DPRK treats crypto exchanges like nation-state targets because the funding goes straight to weapons programs
CoinEx detected it within hours which is better than most. still, $70M through hot wallets means they were way overexposed
SlowMist traced the funds to the same mixer pattern they saw in the Stake.com hack. same playbook different target
same mixer across multiple hacks and its still running. chain analysis firms keep writing reports nobody acts on
chain analysis firms write reports but nobody actually freezes the mixer addresses. tornado cash got sanctioned because americans used it. this one serves DPRK exclusively so it stays up
cold storage for 95%+ of customer funds should be the legal minimum for any exchange. hot wallets are for daily liquidity nothing else
hot wallets should be for withdrawal processing only. anything beyond operational float goes to cold storage. coinex had way too much sitting hot for an exchange their size
another exchange, another hot wallet drain. how many times does this need to happen before platforms learn cold storage is non-negotiable for the bulk of funds
$70M from hot wallets and the funds were already across 4 chains before anyone noticed. lazarus runs these like military operations because they literally are