dragonex.md

DragonEx

Date:: March 24th, 2019

Amount Stolen:: $7,090,000

Tags:: 🍎 Applejeus

Attribution:: UN Security Council

Laundered Via:: Wasabi

---

Details

Used software called “Worldbit-bot” to carry out its active attacks - wb-invest.net and wb-bot.org

On March 24, 2019, the Singaporean exchange DragonEx was hacked, losing roughly $7 million in several cryptocurrencies. Through an elaborate phishing campaign, North Korean hackers used a trojanized version of a legitimate crypto trading application, QtBitcoinTrader, which they called Worldbit-bot. To enhance their credibility, the hackers registered websites for their fake companies and created several fictitious social media profiles for employees of the fabricated firms.

DragonEX is a cryptocurrency exchange based in Singapore. It has been active since 2017. DragonEx announced the news on its official Telegram channel on Monday, stating that, on Sunday, March 24, it had suffered a cyberattack that saw cryptocurrency funds owned by users and the exchange “transferred and stolen.” In updates on the hack today, DragonEx’s Telegram admin provided wallet addresses for 20 cryptocurrencies to which the stolen funds had apparently been transferred. The list included the top five cryptos by market capitalization: bitcoin (BTC), ether (ETH), XRP, litecoin (LTC) and EOS, as well as the tether stablecoin (USDT) for which six destination addresses were provided. The North Korean hacking group Lazarus was responsible. The hackers created a legitimate looking fake company and convinced DragonEx employees to download malware onto their computers through Telegram and LinkedIn messages

Singapore-Based Crypto Exchange DragonEx Has Been Hacked Used software called “WorldBit-Bot” to carry out its active attacks wb-invest.net and wb-bot.org

Lazarus created a fake company claiming to offer an automated cryptocurrency trading bot called Worldbit-bot, complete with a slick website and social media presence for made up employees.

The Chinese security service provider 360 Security has issued a warning that a large number of crypto exchanges have been targeted by the North Korean hacker group Lazarus / ATP-C-26 and that the number is still rising after the recent hacks of crypto exchanges DragonEx, Etbox and BiKi.

The analysis by the 360 Advanced Threat Response Team detailed that the attacking group registered two domains, wb-invest.net and wb-bot.org, last October in preparation for the attacks.

Then they faked the cryptocurrency trading software WorldBit-Bot based on the open-sourced “Qt Bitcoin Trader” which was embedded with malicious code. The malicious software was then camouflaged within a regular automated crypto trading platform under the domains of wb-invest.net and wb-bot.org, which kept normal operation for half a year.

The attackers targeted a large number of internal staff at cryptocurrency exchanges for the software promotion. The latest phishing attacks took place in January 2019 and March 2019

According to China-based JohnWick Security, which has been assisting DragonEx in investigating its hacking incident, the customer service staff at DragonEx appear to have opened an installation package named wbbot.dmg from an unknown source. Analysis indicates a backdoor was embedded in the installation package, through which hackers acquired the internal staff’s authorization and then obtained the wallet private key.

The “WorldBit-Bot” software operates in much the same manner, with the faked crypto trading software Celas Trade Pro

This campaign formed the template for many of Lazarus’s subsequent hacks, which continue to use trojanized software as bait to lure unsuspecting crypto exchange employees into infecting company systems.8

While most cyberattacks attributed to North Korea are often categorized under the wide umbrella of the Lazarus Group, the UN Security Council publicly attributed this hack to a specific unit.

They used trojanized software and created multiple, seemingly legitimate social media profiles to increase the perceived legitimacy of the original email.

Laundry

Other coins stolen were laundered with markedly less sophisticated—though ultimately successful—processes.

Employing the HODL technique, these hackers waited to sell a large proportion of stolen ETH at then-high prices in August 2020, almost a year and a half after the hack.

On-Chain

• 0x39c46975becee0e12eb384d066228600e02ab82a - Primary Theft

• 0xa7f72bf63edeca25636f0b13ec5135296ca2ebb2 - Primary Theft

• 114F7vWREusZTRGcEZGoTAuhWvq8T5tzxR - Primary Theft

• 17gqLwmBxdmKEP8vaBEn2ghHvj4vqCiR6q - Primary Theft

• 1B6t6RnVMpTQKhbXsr8hNB3DiyXSSkomkU - Primary Theft

• 1HapWDybdWW1H61saGokQ88xVaHvfukgu2 - Primary Theft

• 1JBoGBv7GnqN6ncEi9aSU71gobcMG9R1Ca - Primary Theft

• 1P4cdD9kTFGV6wmFxbeoZXosRNUrMrMbmN - Primary Theft

• 3BorUkWNFECFDoX877BSd2aPdRbPjPj45C - Primary Theft

• bc1q2nnux4sch8cjy6ur3mn9s6spfj5f8j75fvmeyf - Primary Theft

• bc1q9e375dcufkv0tn7sc8y8vv9lhesal4wtzc87ls - Primary Theft

• bc1qag5dpcwvluf9a9eek2k2xqlaznzcdgk4xn56kg - Primary Theft

• bc1qelafz82k5de3gekdd8gjns97x3s8ctve98pllv - Primary Theft

• bc1qq3mjtq058swjw57mgxxh2pfrrz0rlwpm90pcv3 - Primary Theft

• bc1qwfldwz6cnufyuhkyj6mtqg4tvy37vwvgvh7m62 - Primary Theft

• GCFQMAN7G2RHOGALVZ4MHUSCFWQHQDACNAE3T757Y3A7WQVHPXP4QMWWZ - Primary Theft

• MS2hm59R95XUxek6vxSTSRjfkNHT3CA8gU - Primary Theft

• qz7r39tdkcq497p9d9mpftzaqh6v228x0uw6z4lf38 - Primary Theft

• r4y4SZNzZDQdFR51RTFq23cjUvtV3WWzHx - Primary Theft

• TJeMF6CpEDeG94UAF7d4dzjXkgrwwtDGFB - Primary Theft

• 1LGk2CakXzoYrACxrkDymftTZbBc9fZYwY - Huobi Depo

• 0x0aa773832e0234f360101cb41f361d5b29265c1e - Etheruem Laundry

• 0x6547edb7dc97a461fe9f8f56f698fd1dca4b9ffb - Etheruem Laundry

• 0x91d7be8abbe295df076a4aa3eab7acb18b9995cf - Etheruem Laundry

• 0x546ceb88bf91318ebe0e88f3057974a37cdfca50 - Etheruem Laundry

• 0x0a2b942f7f7d35a35bf6d70e7bb4ada569d87658 - Etheruem Laundry

• 0xfe4571329d8804f27270d420d50e9f76dc6d5b7e - Etheruem Laundry

• 0x02bf3f66ecae3490ec42a0c30f7a753105e65faf - Etheruem Laundry

• 0x0b24a424436a8df9f1857b2371f9ef5b87134617 - Etheruem Laundry

• 0x755f2ec97cf9f8f61d41eccda1a3c71a4cccffbe - Etheruem Laundry

• 0xd7729e44b367d06214cc6072ee258302c90ae162 - Etheruem Laundry

• 0x58ac65fd0c123e16ba7d23cc8f97dab178b7e500 - Etheruem Laundry

• 0x535de5d89bd21fa91806054f018e2390db02142f - Etheruem Laundry

• 0x518ef5d02f6edb5d58bd5539e79db6e0e9b62dfb - Etheruem Laundry - August 4, 2020

• 0x5ad9a69ec21c1fa36688ba42acdfb0ffa6bc7793 - Etheruem Laundry - August 5, 2020

URLs

• https://bitcoinmagazine.com/culture/lazarus-hacker-group-continues-target-crypto-using-faked-trading-software
• https://blog.chainalysis.com/reports/cryptocurrency-exchange-hacks-2019
• https://blogs.360.cn/post/apt-c-26.html
• https://coindesk.com/singapore-based-crypto-exchange-dragonex-has-been-hacked
• https://coingeek.com/dragonex-exchange-shuts-downconfirms-its-been-hacked/
• https://cointelegraph.com/news/singapore-crypto-exchange-dragonex-reports-hack-of-both-platform-user-assets
• https://cryptonews.com/news/dragonex-hack-usd-7-million-in-crypto-stolen-compensations-i-3605.htm
• https://cryptoxdirectory.com/dragonex
• https://news.8btc.com/dragonex-hacked-investigation-is-undergoing
• https://tokenpost.com/Crypto-exchange-DragonEx-lost-7M-in-hack-announces-compensation-plan-1568
• https://quadrigainitiative.com/casestudy/dragonexhackingtheft.php
• https://secrss.com/articles/9511
• https://theblockcrypto.com/linked/17243/dragonex-crypto-exchange-hacked
• https://web3rekt.com/hacksandscams/dragonex-641
• https://cnas.org/publications/reports/following-the-crypto
• https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/BlockchainAnalysisEES.pdf?mtime=20220216090240&focal=none