Hacker vs. Hacker: North Koreans Attempt to Phish Euler Exploiter of $200M in Crypto, Experts Say

An unlikely exchange played out on the Ethereum blockchain, sparking confusion and alarm.

AccessTimeIconMar 21, 2023 at 11:40 p.m. UTC
Updated May 9, 2023 at 4:11 a.m. UTC

Euler Finance’s efforts to recover nearly $200 million in stolen crypto hit yet another wrinkle Tuesday after a wallet linked to North Korean hackers tried to swindle the decentralized finance (DeFi) protocol’s exploiter.

The so-called Ronin bridge exploiter, which last March stole $625 million worth from crypto game Axie Infinity, sent an on-chain note to Euler’s exploiter asking it to decrypt an encrypted message. But according to the experts CoinDesk spoke with, the message was a phishing scam attempting to steal the credentials for the Euler exploiter’s wallet.

The unlikely exchange from one crypto hacker to another spurred confusion on Crypto Twitter and rang alarm bells at Euler Finance, which was already days into its own on-chain effort to recover the $200 million. Euler is a platform for borrowing and lending cryptocurrencies on the Ethereum blockchain.

The Lazarus Group is a hacker group allegedly tied to North Korea. Observers have accused Lazarus of mounting a multibillion-dollar campaign against the crypto world, the proceeds of which are said to fund North Korea's weapons program.

Minutes after the Ronin hacker wallet messaged the Euler hacker wallet, developers at Euler Finance tried to intervene with messages of their own. They warned their own hacker to be wary of the purported decryption software, saying “the simplest way out here is to return funds.”

Euler developers continued in a separate transaction, “Do not try to view that message under any circumstance. Do not enter your private key anywhere. Reminder that your machine may be also compromised.”


The Ronin hackers’ overtures may be a thinly veiled attempt to trick the Euler hacker into surrendering the private key – and thus the crypto – they stole from Euler Finance, said Hudson Jameson, a former developer at the Ethereum Foundation. But he said the motives behind the on-chain messages remain unclear.

“In my opinion, it is unknown why they are asking, but it definitely could be an attempt to see if the Euler hacker falls for a phishing attempt," Jameson told CoinDesk.

Stephen Tong, co-founder of security audit firm Zellic.io, speculated Ronin’s purported encrypted message may well contain an “offer” for the Euler hacker, “but we can't know for sure since we can't decrypt the message without the private key.”

The on-chain drama comes as Euler Finance tries to mount its own negotiation via messages encoded on the Ethereum blockchain. It was Euler Finance’s pleas for the return of $200 million that the hacker responded to Tuesday:

“We want to make this easy on all those affected. No intention of keeping what is not ours,” the hacker wrote back to Euler Finance, seemingly ignoring the Ronin exploiter’s attempted phish. The message continued: “will communicate shortly.”

The Ronin Bridge exploiter and the Euler Finance exploiter both did not immediately return a request for comment.

Tuesday’s messages weren’t the first time the two exploiters crossed paths. On March 17, the Euler Finance exploiter sent 100 ether (ETH) to wallets connected to the Lazarus Group’s Ronin heist. It was unclear why.

The messages highlight how Ethereum can be a platform for the unlikeliest of conversations, said Jameson.

“As opposed to centralized systems that maintain control of the messaging, the Euler exploiter provides an example of new age communications and processes in response to a public smart contract exploit."


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Elizabeth Napolitano is a news reporter at CoinDesk.

CoinDesk - Unknown

Sage D. Young is a tech protocol reporter at CoinDesk. He owns a few NFTs, gold and silver, as well as BTC, ETH, LINK, AAVE, ARB, PEOPLE, DOGE, OS, and HTR.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.