A few weeks ago I published research on 25 Lazarus Group hacks which resulted in $3.8M frozen.

I am sharing 7 additional wallet addresses which currently hold $61.8M (891 BTC) tied to these hacks.

bc1qw88pehjuejym9jyfgn6vn4aaw7q232hlyzzn6f
bc1q27vxzyuh4vqwt3u9aqpuk7z5xtgz9y0tqxzesq
bc1q62clzxr4vcycjfdqe33ake4dk9fenkpaddkteq
bc1qfad2yxulctgz6g6tw635n52cw3v7wxydmtmd0f
bc1q972gcd3ywyc2n2p5lzs5mdwra5q8nymzg0qlx0
bc1qfenmgt8x2ndhm00xsv09snvandvl9j9w0fhtzw
bc1qmd3kzw0ge45eag7qpuhyxa5kdv4hqh3kxp44dg

Someone was phished for $6.9M (~1807 Ether.fi-Liquid1) 27 minutes ago

Theft txn hash
0xd66e105f29843bf3766d36c910b85c4a194408a7d20f193b39356a39c73d74c8

Theft address
0xE56978D5F7E728C3AE545b2a0882F8BEeC50a19d
0xFC4EAA4ac84D00f1C5854113581F881b42b4A745

Last year this victim was also phished for $638K (2929 BNB)

Which one of you hacked Caitlyn Jenner lol

Someone was phished three minutes ago for $2.1M

Theft txn
0xa2aecccebe5fef03ca18dbcf890e3d4ea73bd17361b15df77ac9704b2d12f389

Theft address
0x41671a8219fF70b19e0D523C7d0C711c1AfCBB7e
0xFC4EAA4ac84D00f1C5854113581F881b42b4A745

It seems they likely fell victim to the phishing site posted from the compromised Renzo Protocol X account.

A TAO holder had $11.2M (28.2K TAO) stolen from them on June 1, 2024.

Theft address
5G9Dpkg34SG3is47MzAjBdmV5iosGt1EJypFHzMPokkbymRA
0x09f76d4fc3bce5bf28543f45c4cee9999e0a0aaf

The attacker bridged the stolen funds to Ethereum and has been selling TAO for ETH and USDC. As of now they have 12.4K TAO ($5M) remaining and have been transferring USDC/ETH to Whitebit, HTX, & Binance.

Someone was drained for ~$2M worth of meme coins 16 hours ago

Currently the attacker still holds 4.2B ANDY ($1M).

I would closely monitor this address from the theft in the short term if you hold ANDY
0x238C20121768919a6A608E7a6B5D080d0040fc7c

The rest of the coins have already been sold for ETH.

The crypto exchange Bitforex mysteriously went offline in February 2024 and its crypto assets were transferred out without any communication from the team.

An address tied to the exchange holding $43M of assets just woke up and transferred ETH to a new address.

New address
0x14b0cB518EDF83e49e636047Db8853A4CAC6A1ff

AVAX is down 10% over past few hours likely due to this entity that started moving transferring 1.96M AVAX ($54.2M) to Coinbase, Binance, Gate, and bridging via THORChain.
0x327a81d0d128db8886d265be73c9fdda97194f30

I conducted a timing analysis and found highly probably BTC withdrawals made shortly after the AVAX deposits at both Coinbase and Binance

587.75 BTC ($38.1M) was withdrawn from Coinbase to:
bc1q7pkc7h8td55s4em7tmlvd42wahjd4hm8lf035n

122.66 BTC ($7.95M) was withdrawn from Binance to:
bc1qezradgkklz3gczk9jjzn922ye7pgj4yd9pnupv

Update: This is likely due to the BTCTurk hack

Online casino Sportsbet was likely hacked for $3.5M+ by the same threat actor as BTCTurk two hours before as funds from the thefts comingled.

Theft address
TDgZKxhyFQWCsNK1p7d1tVifeuW2DJTUEo
TQWSmSqns2BLczLEMpy96tNq3MagM66H4b
TJZ8NNxJETGDzGaWwSHwjGrzzz2Zhvexo2

US government just transferred 3940 BTC ($243M) of funds from the Silk Road hack to Coinbase Prime

Transaction hash
0f3f9a7c01d85c5747a3ae6cc9621cc30360390c4b681c1f95573e6bbcffed4f

Deposit address
3FGcXf5HiPkitjQp4xjGu7Gte6aK7w43su

Update: Bittensor was halted due to additional thefts earlier today potentially as a result of private key leakage.

New theft address of 32K TAO($8M)
5FbWTraF7jfBe5EvCmSThum85htcrEsCzwuFjG3PukTUQYot

Someone was just drained an hour ago for 6 X Bored Apes and 40 x Beanz NFTs

Theft address
0x0CDa1f8F94fA4301C6fD0740268cb41e1654D28C

Victim address
0xd7b2879c8922cd704e41e8cc1f18f6994d6b7c36

Community Alert: Compound Finance website seems to potentially be hijacked do not visit the site for the time being.

Currently redirects to a newly registered phishing site.

Update: Compound Team resolved this

Sharing the $25M ransom payment made by CDK on June 21, 2024 to BlackSuit.

Transaction hash
8a41d7a6b75580f34f177628c39bd52ae9c8adc633fb5c874b3a09b253f3d4ef

Address
bc1q0c03s0c80uuxjq4jcyfhs4k8w5wu6ca9xhxsw9

Funds were then transferred to multiple centralized services after.

The Ethena Discord server is currently compromised do not click links for the time being.

Looks like the Indian crypto exchange WazirX was potentially hacked for $230M+

Primary theft address
0x04b21735E93Fa3f8df70e2Da89e6922616891a88

Attacker still has $100M+ worth of SHIB and $4.7M+ FLOKI to sell

Update: My tracing thus far on the incident

As a way to reduce spam on X (formerly Twitter) the team will soon be adding a way to disable links in the replies.

Hopefully this will cut down on all of the gold verified phishing scams under the replies of posts we see so frequently.

Renzo Discord is currently compromised do not click any links for the moment.

Someone was phished for $4.69M worth of PT-ezETH & PT-sz-rsETH an hour ago.

More than $23.2M has been phished from Pendle users since March 2024

Theft transaction hash
0x7357787481b25c99b61912af8159f866d4ff2e7d97039425b529e2890b23c4f6
0x26820ddb9aeb9a74ac757be5e182c83ec20443d2273bbd68d1d1fa86f2b131a0