Cryptocurrency trading is speculative and your capital is at risk when you trade. We may earn affiliate commissions from some of the products on this page - at no extra cost to you.
Alex Lab Links $4M Exploit to North Korean Lazarus Group


  • Using substantial transaction evidence, Alex Lab links a $4 million exploit to North Korea’s Lazarus Group.
  • The May exploit involved siphoning $4.3 million and $13.7 million of Stacks (STX) tokens.
  • Despite offering a 10% bounty, the attackers did not return the stolen funds.

Bitcoin layer-2 developer Alex Lab suspects the $4 million exploit it experienced in May was orchestrated by the formidable North Korean hacking collective Lazarus Group. The exploit involved siphoning about $4.3 million and $13.7 million of the Stacks (STX) token. 

Suspected Culprits and Evidence

On June 25, Alex Lab shared findings pointing to three wallet addresses used by hackers on May 16 to drain funds from the Bitcoin-based decentralized finance (DeFi) protocol. They collaborated with independent blockchain sleuth ZachXBT to compile evidence linking Lazarus to the exploit.

In a detailed statement on X, formerly Twitter, Alex Lab revealed,

After extensive forensic analysis and investigations facilitated by blockchain analyst ZachXBT, substantial transaction evidence links the attack to the Lazarus Group.

The hackers exploited around $13.7 million worth of Stacks (STX) tokens. Some of the exploited funds were sent to centralized exchanges and subsequently frozen. The breach involved the hackers gaining access to the team’s private keys. However, the smart contracts of the Alex Protocol remained uncompromised.

Transaction Tracing and Forensic Analysis

On May 16, Alex Lab notified users about the attack on their BNB Smart Chain bridge. The attackers siphoned off around $4.3 million worth of funds. By June 20, the team reported that the attackers had broadcast over 11,800 STX transactions, using several DeFi protocols and bridges, including Arkadiko, Bitflow, and Allbridge, to launder the stolen STX.

Alex Lab stated, The following blockchain addresses and transactions were crucial in tracing the culprits and the flow of stolen assets: Initial Exploit Link: Address 0x418e337774d26365efeaa4700e889a9746330c4e was directly linked to the XLink/ALEX Exploit. That address sent funds to 0x639F61cA3E0e3fDCd654DC4A22579e7382dEBeA3. Connection to Lazarus Group: Address 0x639F61cA3E0e3fDCd654DC4A22579e7382dEBeA3 used a known Lazarus TRON address (TSMQQM9NMumDfZryQCtsKT5d5kgt7Ck2rm).”

Response and Recovery Efforts

In response to the attack, Alex Lab offered the attackers a 10% bounty to return 90% of the stolen funds and promised not to pursue legal action if the funds were returned. However, the attackers did not respond to the bounty request.

Alex Lab also facilitated contact between the Singapore Police Force and relevant cryptocurrency exchanges as part of the ongoing investigation. They stated,

Many of those STXs that we traced to CEXs are currently frozen, with the relevant exchanges indicating that they will continue to freeze stolen assets pending the police investigations. The Foundation will make an appropriate announcement once these frozen funds can be returned to the affected users.

Alex Lab remains committed to restoring the integrity of its platform and preventing future breaches. The team stated,

We are actively collaborating with international law enforcement and cybersecurity experts to address this attack’s implications and recover lost assets. Enhanced security protocols are being implemented to fortify our platform against similar threats.

The incident has significantly impacted the trading value of the ALEX token. Over the past week, it has slumped 18% and is down 48% over the last month. It is currently trading at $0.07269.

Read More


Buy Cryptos on eToro banner