The January 2018 hack of Coincheck, the Japanese cryptocurrency exchange, was the largest ever theft of cryptocurrency, with $530 million worth of NEM tokens stolen. Now, according to a report from Japanese outlet Asahi Shumbun, Russian hackers might have been the ones who made off with the money.
The malware the hackers used was sent by email to employees at the exchange, and included the Mokes and Netwire viruses. Using these, the hackers were able to take control of the employees machines.
The choice of these two malwares is apparently the lead convincing investigators that Russian bad actors might have been behind the whole thing. Both are known tools of Russian hackers, and both have their origins in Russia. Morks was first promoted on a Russian site in June 2011, and Netwire has been known by anti-virus experts since 2007.
Based on an interview with a U.S. cybersecurity expert, the use of these viruses makes it very likely that whoever stole the money was likely to be either Russian, or from Eastern Europe.
This is a helpful narrowing of scope for the investigators, who have previously suspected the hackers were from overseas. It is a bit of a detour from their previous idea of the case though, as CoinDesk reported in October that North Korean hackers were being looked at for the same hack.
Even this new suspicion could fall apart. Is it really impossible that North Korean hackers, knowing that Netwire and Morks would cast suspicion on a Russian group, wouldn’t consider using those tools for exactly that reason? It would seem that the investigators have a long way to go before this case is closed.
CoinCheck has since moved on though.