Orbit hacker may have also performed Coinspaid, Coinex hacks - onchain experts

Match Systems used a “de-mixing” analysis to potentially discover the source of gas for the attack.
Match Systems used a “de-mixing” analysis to potentially discover the source of gas for the attack.

The attacker who drained $81.5 million from the Orbit bridge may have also been involved in several other 2023 crypto cyberattacks, including those against Coinspaid, Coinex, and Atomic Wallet, according to a January 3 report from blockchain analysts Match Systems seen by Cointelegraph.

Specifically, the report claims that its analysis “gives reason to believe that the same criminal group may be involved in the hacking of the Orbit bridge, which in 2023 had previously committed several large hacks of the cryptocurrency services Atomic wallet, CoinsPaid, CoinEx, etc., using tools and patterns of the well-known Lazarus group.”

Exploiter draining Tether (USDT) from Orbit Bridge. Source: Etherscan.

Match Systems attempted to trace the Orbit attacker’s activity on the blockchain. They discovered that the attacker’s account was pre-seeded with gas funds from other accounts that withdrew them from Tornado Cash. Withdrawing from Tornado Cash is a common tactic used by cybercriminals to obscure the source of their funds.

However, the analysts claim to have “successfully conducted de-mixing activities” to potentially reveal the source of these funds. In order to accomplish the de-mixing, they used specialized software to analyze the “characteristics and patterns before and after the Tornado.cash mixer, considering transaction volumes and dates/times, as well as other specialized methods.”

Related: What is a cryptocurrency mixer and how does it work?

This de-mixing revealed a group of addresses, one of which used the SWFT protocol to transfer funds to other addresses. A portion of the funds sent through SWFT went out into several other chains, ultimately ending up in a single Tron wallet.

From there, the Tron wallet sent them into an exchange to be cashed out. Match Systems could not confirm the location or jurisdiction of the exchange, but it claims that some evidence points to it being “related to the CIS [Commonwealth of Independent States] region.”

Match Systems claims that the SWFT protocol was also used in the DFX Finance, Deribit, and AscendEX attacks. In addition, Avalanche Bridge and Sinbad were used in both the Orbit attack and these earlier incidents, providing further common elements tying them together. Match Systems claims that these techniques are "tools and patterns of the well-known Lazarus group."

The U.S. Federal Bureau of Investigation has identified a cybercriminal group called “Lazarus” as the perpetrators of the 2023 Atomic Wallet and Coinspaid hacks based on behavioral analysis derived from blockchain data.

The Orbit Bridge attack was the last major Web3 protocol exploit of 2023. It occurred on New Year’s Eve.