In November 2023, the Poloniex cryptocurrency exchange suffered a hack due to compromised private keys. The attackers — believed to be the infamous Lazarus Group — drained an estimated $126 million from the project’s hot wallets.
Inside the Attack
The Poloniex exchange hack is a classic example of a compromised hot wallet. Many other blockchain protocols have suffered these types of attacks, which include the theft of a private key used to digitally sign transactions associated with a particular blockchain address. If an attacker can gain access to this private key, they have the ability to send tokens from it to an attacker-controlled wallet.
Like many of these recent attacks, this attack is believed to be the work of the Lazarus Group. The Lazarus Group is a cybercrime group associated with the government of North Korea and is known for its social engineering and custom malware attacks. While the Lazarus Group has performed cyberattacks across many industry verticals, they have also moved into the crypto space, pulling off high-profile attacks like the Ronin Network hack as well as many thefts of private keys used to drain hot wallets belonging to various blockchain projects.
The attribution of the Poloniex hack to the Lazarus Group is based not only on the type of attack — a compromised private key used to drain hot wallets — but also the attacker’s activities on-chain. When performing the attack, the Lazarus Group tends to send different types of tokens to different addresses, which specialize in a particular type of token. Then, an intermediate address is used to exchange ERC20/TRC20 tokens on a decentralized exchange before sending them on to a new address. Many of these actions — such as the use of different addresses for different token types — are unnecessary (the same address can be used for various types of tokens), making these activities a unique signature for the Lazarus Group.
Lessons Learned from the Attack
Like similar attacks, this attack was made possible by blockchain wallets controlled by a single private key. If this private key is exposed via social engineering or similar means, then the attacker controls the wallet and the funds that it contains.
Some best practices for protecting against this type of attack include favoring cold wallets over hot wallets and the use of multi-signature wallets, which require multiple compromised keys to enable these thefts. To learn more about preventing this type of attack, check out our blog on 10 Ways to Secure Your Crypto Wallet From Hackers..