The public may now be closer to identifying the culprits behind the Coincheck hack, the largest the cryptoeconomy has experienced to date.
Coincheck, a Japanese cryptocurrency exchange based in Tokyo, saw its NEM (XEM) hot wallet scraped by hackers last January. The attackers netted 520 million coins, which were then worth approximately $530 million USD. As such, the economic impact was larger than the fallout caused by the 2014 Mt. Gox hack, which cost that exchange’s traders upwards of $400 million.
In the wake of the XEM heist, Coincheck committed to compensating affected traders to the tune of $0.81 per every XEM lost with the exchange’s own revenues.
After the hack, speculation mounted that North Korean hackers were the culprits. Cybersecurity firms have found the country’s notorious hacker , Lazarus APT, did indeed steal billions of dollars worth of cryptocurrencies between 2017 and 2018. And Japan’s National Intelligence Service did initiate a probe last year as to whether Lazarus hackers led the Coincheck hack.
Russian Hackers Involved?
Yet a new report suggests Russian hackers, not North Korean hackers, may have been involved in the episode.
That report, published Monday by esteemed Osaka-based outlet Asahi Shimbun, revealed that computer viruses with definitive Russian origins had been discovered on the company computers of Coincheck employees.
Those viruses were Netwire and Mokes. Netwire is a trojan style malware, designed to discreetly penetrate users’ devices for the purposes of keylogging, collecting information, establishing remote access, and more. Similarly, Mokes is malware that’s been specialized to steal valuable information like passwords via backdoor techniques.
Cybersecurity experts consider both viruses to have been created in Russia. Notably, they are the types of malware that could have been used to compromise Coincheck’s internal system ahead of the exchange’s XEM hot wallet hack.
Of course, the presence of Netwire and Mokes on Coincheck computers doesn’t mean a direct forensic trail has yet been established to the hackers. Rather, the development has revealed new circumstantial evidence, i.e. that tools originating from Russia and that Russian or Eastern European hackers would’ve presumably been comfortable using have turned up at the scene of the crime.
Tools to “Incriminate Others”
It’s not beyond hackers to use tools that would superficially incriminate others, and it’s worth noting that Netwire and Mokes may have been used precisely for that reason: to throw off investigators from discovering the true perpetrators.
So it’s still theoretically possible that North Koreans were behind the Coincheck hack. Cybersecurity firm Kaspersky Lab has previously identified a wing within the increasingly advanced Lazarus Group they dubbed Bluenoroff. Kaspersky’s experts have said Bluenoroff specializes in financial attacks, meaning the team would have the technical skills to 1) lead a devastating attack on Coincheck and 2) obfuscate their attack’s origins.
Yet the appareance of Netwire and Mokes in Coincheck’s infrastructure has others thinking otherwise. One cybersecurity expert who spoke to Asahi Shimbun said the viruses did indicate that Russian speakers could have been invovled.
Whatever investigators end up determining was the case, it appears the Coincheck hackers had more than just a passing knowledge of cryptocurrency tech.
That’s because the hackers seemed to have been aware that the NEM blockchain used the Proof of Importance (PoI) consensus mechanism. PoI incentivizes node runners to hold large amounts of XEM, and it seems the hackers realized Coincheck’s XEM hot wallet was a low hanging fruit, as XEM was the only cryptocurrency the exchange wasn’t storing safely in cold storage accordingly.
On a related and curious note, the Coincheck hack may have been the largest to date in the cryptoeconomy’s fledgling history, but the attackers didn’t make off with any money. The NEM Foundation somewhat controversially blacklisted the wallet the stolen XEM were sent to, which effectively condemned the coins to oblivion.