The cryptocurrency ecosystem faced another wave of security incidents on September 9, 2023, as the popular memecoin PEPE confirmed that its official Telegram account had been compromised. The breach came amid a broader escalation of attacks targeting crypto platforms, with North Korean hacking group Lazarus now linked to over $200 million in stolen funds throughout 2023 alone.
The Exploit Mechanics
On September 9, PEPE issued an urgent announcement via Twitter confirming that the project’s old Telegram account had been hijacked and was no longer under official control. Simultaneously, the Twitter account “lordkeklol” was also compromised and began posting fraudulent content designed to deceive community members. The attackers leveraged the residual trust associated with PEPE’s official branding to direct users toward malicious links embedded in compromised channels.
The attack followed a familiar pattern seen across multiple incidents during the week of September 4-10, 2023. According to SlowMist’s weekly security report, a total of 10 security incidents were recorded during this period, resulting in combined losses of approximately $42.5 million. The PEPE Telegram breach itself did not result in direct fund losses from the protocol, but it served as a vector for potential phishing attacks against community members holding the token.
With Bitcoin trading at approximately $25,896 and Ethereum at $1,635 on the same day, the broader market remained range-bound, meaning users were potentially more susceptible to social engineering tactics during a period of stagnant prices.
Affected Systems
The PEPE incident was part of a much larger campaign. Just days earlier, on September 4, the cryptocurrency betting platform Stake.com suffered a devastating attack resulting in losses of at least $41 million. The attack exploited a sophisticated vulnerability in the services Stake used to authorize on-chain transactions across Ethereum, Polygon, and BNB Chain. The attacker, identified by the address 0x22b…63f, used SquidRouter to convert stolen MATIC into other currencies including AVAX and USDC, then moved the funds across chains to Avalanche before converting them to BTC via ParaSwap.
On September 6, the FBI officially attributed the Stake.com attack to the North Korean Lazarus Group. The agency stated that the organization had stolen over $200 million in 2023, including approximately $100 million from the Atomic Wallet hack in June and $60 million from the Alphapo and CoinsPaid breaches in July. The Lazarus Group’s methods have become increasingly sophisticated, employing a combination of supply chain attacks, social engineering, and direct protocol exploitation.
Other incidents during the same week included a Discord attack on Saber DAO on September 4, a referral system exploit on GMBL COMPUTER that drained approximately $815,000 from the Arbitrum-based decentralized exchange, and a SIM swap attack on Ordinals Wallet’s Twitter account on September 7 linked to the PinkDrainer phishing gang.
The Mitigation Strategy
In response to the PEPE Telegram compromise, the project announced that all official communications would be channeled exclusively through their verified Twitter account until the situation was resolved. This represents a sensible short-term mitigation, though it highlights the ongoing challenge crypto projects face in securing their social media and community channels.
For the broader ecosystem, the Stake.com incident prompted renewed calls for multi-signature wallet architectures and improved key management practices. Stake.com co-founder Edward Craven confirmed that the platform’s private keys were not directly compromised, suggesting the attack exploited authorization mechanisms rather than fundamental key security. This distinction is critical for other platforms: it is not enough to secure private keys alone, as the transaction authorization layer itself must be hardened against sophisticated intrusion.
The GMBL COMPUTER case offered a rare positive outcome. After the team offered a bug bounty promising no legal action in exchange for the return of 90% of stolen funds, the attacker returned 235 ETH (approximately $382,000), representing roughly 50% of the total loss. While not a complete recovery, it demonstrates that engagement strategies can sometimes yield partial restitution.
Lessons Learned
The concentration of incidents during a single week underscores the systemic vulnerabilities present across the crypto landscape. Several key lessons emerge for both projects and individual users:
First, social media and communication channels remain prime targets for attackers. Projects must implement robust access controls, two-factor authentication, and monitoring systems for all official accounts. The PEPE and Ordinals Wallet incidents both exploited compromised social channels to amplify phishing attacks.
Second, the Lazarus Group’s continued success demonstrates that nation-state actors are increasingly targeting cryptocurrency platforms. The $200 million figure for 2023 alone represents a significant escalation, and the group’s operational sophistication — including cross-chain laundering through SquidRouter and ParaSwap — indicates substantial resources and planning.
Third, protocol-level security must extend beyond smart contract auditing. The Stake.com attack targeted transaction authorization infrastructure rather than contract code, highlighting the need for comprehensive security assessments that cover all layers of a platform’s technology stack.
User Action Required
For cryptocurrency users, the events of September 2023 serve as an urgent reminder to exercise caution when interacting with any unofficial channels or links. Users should verify all communications through multiple independent sources before clicking links or connecting wallets. Hardware wallet usage for significant holdings remains the most effective protection against phishing-induced fund losses. Additionally, enabling all available security features on social media accounts — including hardware-based two-factor authentication — can help prevent SIM swap attacks that compromise project accounts.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding the protection of digital assets.
PEPE telegram hacked and lordkeklol compromised on the same day. slowmist counted 42.5M in losses that week alone. september 2023 was brutal
Lazarus linked to over 200M stolen in 2023 and they keep using the same playbook. Social engineering into phishing into wallet drains.
memecoin communities are the easiest targets. high engagement, low security awareness, and everyone trusts the admin accounts blindly
^ this. pepe holders were fresh off the hype cycle and probably clicking every link that looked remotely official. perfect storm
moonboi_42 memecoin admins getting phished is basically a weekly event now. the bar for security in these communities is below zero
spot on. memecoin telegram channels are like phishing playgrounds. admins share links constantly so users are trained to click without thinking
10 incidents in one week totaling 42.5M and the Stake.com hack was 41M of that. The PEPE and Ordinals attacks were just noise by comparison.
Maxim R. 41M of that 42.5M was Stake.com alone. the other 9 incidents were barely a blip but still real losses for the people affected
Lazarus stealing 200M in a year and somehow PEPE telegram hack still made bigger headlines. priorities in this space are completely broken
slowmist counting 42.5M in one week and PEPE telegram was just one of 10 incidents. the attack surface on crypto communities is way bigger than most realize