By using malware, Russian hackers are believed to be responsible for stealing tokens worth $534 million from Coincheck
In January 2018, Coincheck suffered from the biggest theft from a cryptocurrency exchange in history. An exchange platform has reported about the loss of more than $530 million worth NEM tokens, taken from their digital wallets. According to the latest investigation report which came up in June 16th, the crime was initiated by using two different viruses, Mokes and Netwire, which were detected in employee's computers. The main suspect – Russian hacking group which used these malicious programs to access machines and operate needed transactions remotely.
The Coincheck breach occurred in January 2018 and immediately left Mt. Gox losses behind. Now it is known that the hack occurred when the malware was emailed to one of the employees. Once the Netwire and Mokes viruses got on the system, malicious actors accessed the machines and operated needed processes remotely.
Previously, this hack was linked to North Korean hackers, but the latest analysis held by U.S cybersecurity experts showed that Russian or Eastern European hacker group is behind this Coincheck attack. Fortunately, Coincheck exchange had the opportunity to blacklist the wallet which was used to host all the stolen XEM.
Netwire and Mokes viruses were used in this attack
The initial report reveals that Netwire and Mokes have definite relation with Russian hackers – they both were created in this country.
These two are rather old malware threats – malicious script of Mokes has been known since 2011 and Netwire emerged 12 years before got emailed to employees at the crypto exchange. Netwire is categorized as a trojan horse that aims to infect users device to record keystrokes and collect information. In the meanwhile, Mokes virus is malware that specializes as info-stealer targeting valuable data like passwords. It can also employ backdoor techniques to infiltrate other malware to the affected computer.
According to the analysis, these viruses could have been used to compromise other parts of the Coincheck internal systems besides the wallet hack. However, no evidence about further damage revealed.
Questions about North Korea and Russia unanswered
If the Russian hackers are the ones who hacked Coincheck, it can cause even more damage because, after the DNC server hack during 2016 elections, these criminal groups have become seriously dangerous. The usage of previously-mentioned malware can be a method to incriminate others and throw off investigators from discovering the real criminals responsible for these loses.
It is still possible that Coincheck hack is a job of North Koreans since the particular group dubbed Lazarus and then named Bluenoroff specializes in such financial attacks. Technical skills to attack cryptocurrency exchange and hide the origins are there.
The particular Netwire and Mokes in the system of Coincheck make cybersecurity experts questioning how much are Russian hackers involved. Since the investigation is still ongoing, experts need to determine total losses. However, the crime required more than pure knowledge about cryptocurrency technology because it appeared that criminals knew particular facts about the company:
- The NEM blockchain uses the Proof of Importance consensus mechanism.
- PoI incentivizes node runners to hold large amounts of XEM.
- XEM was the only cryptocurrency that Coincheck wasn't storing safely.