Security Firm Claims One Group Stole $200M in Numerous Exchange Hacks

One small group of hackers may have made off with $200 million by infiltrating numerous exchanges, security firm ClearSky claims.

AccessTimeIconJun 24, 2020 at 1:00 p.m. UTC
Updated May 9, 2023 at 3:09 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

One shadowy group of cyber criminals might be behind attacks on various crypto exchanges (including “decentralized” exchanges) dating back to 2018, Israeli cybersecurity firm ClearSky claimed in a report released on Wednesday.

"We estimate that the group managed to rake in more than $200 million in two years," the ClearSky report says about the cybercriminal collective the report calls CryptoCore. "We assess with medium level of certainty that the threat actor has links to the East European region, Ukraine, Russia or Romania in particular."

  • Key Events You Shouldn't Miss at Consensus 2024
    Key Events You Shouldn't Miss at Consensus 2024
  • What to Expect From Consensus 2024
    What to Expect From Consensus 2024
  • Will Solana and Altcoins Dominate the Market Next?
    Will Solana and Altcoins Dominate the Market Next?
  • What's Next for FIT21?
    What's Next for FIT21?
  • ClearSky co-founder Boaz Dolev said his firm found at least five exchange hacks over the past two years that followed a particular pattern, though he declined to identify these exchanges on the record. 

    “They can attack very quickly,” Dolev said of CryptoCore, which he claimed once deployed an attack just 12 hours after registering fresh domain names. “They’re not a big group, maybe three to four people … a small but effective operation.” 

    So far, ClearSky estimates the cyber criminal group stole $200 million over the past two years. Other firms have called the same group different names, such as “Leery Turtle.”

    Or Blatt, ClearSky’s threat intelligence team leader, said he believes the alleged thieves are rogues without military training or support. He described the attacks as “much less sophisticated” than ones conducted by Russian military intelligence officers indicted for influencing American elections while using bitcoin in 2016. 

    “They are cyber criminals and we know of other similar cybercrime groups,” Blatt said. “In order for such an attack to succeed, usually the [crypto exchange] employees need to be vulnerable to social engineering ... [We] didn’t see this attacker exploiting VPN [virtual private networks], for example, which is something we often see with other groups."

    Human error

    Dolev said crypto exchanges that don’t use the same level of security practices as banks are vulnerable to such attacks. 

    The report details how the hacker group allegedly gained access to several exchange executives’ private email accounts, then used spear-phishing – impersonating a high-ranking employee – “either from the target company itself or from a company that deals with the target,”  to acquire information that grants access to crypto wallets.

    Nicholas Percoco, head of security at the crypto exchange Kraken, said, “We routinely see attempts through multiple attack vectors, including social engineering attempts,” so his company often shares information with other exchanges targeted by such criminal campaigns. 

    Ignoring CryptoCore specifically (Kraken was not mentioned in ClearSky's report), Percoco said it is common for such cyber criminals to target several institutions in the same sector, especially the individuals who work at exchanges.

    The concept of such a social engineering campaign, as ClearSky described, makes sense to Percoco. This is why Kraken’s security chief said, in addition to technical controls, he focuses on training sessions across the staff because you “can’t patch a human.” Plus, Kraken Security Labs routinely tries to penetrate the exchange system and find vulnerabilities, he said. 

    “We will take all our employees, executives included, through extensive security training,” Percoco said. “We go very deep about home network security, social network security, even their own personal device security.” 

    Dolev warned that, especially considering the mass exodus to remote work caused by COVID-19, crypto exchanges face a “higher risk” in 2020. Indeed, Blatt added that CryptoCore appears to be more active since the coronavirus crisis began. 

    “If you put your money on an exchange, you don’t know if it’s secure or not,” Dovel concluded.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.