Hacker vs. Hacker: North Koreans Attempt to Phish Euler Exploiter of $200M in Crypto, Experts Say

An unlikely exchange played out on the Ethereum blockchain, sparking confusion and alarm.

AccessTimeIconMar 21, 2023 at 11:40 p.m. UTC
Updated May 9, 2023 at 4:11 a.m. UTC

Euler Finance’s efforts to recover nearly $200 million in stolen crypto hit yet another wrinkle Tuesday after a wallet linked to North Korean hackers tried to swindle the decentralized finance (DeFi) protocol’s exploiter.

The so-called Ronin bridge exploiter, which last March stole $625 million worth from crypto game Axie Infinity, sent an on-chain note to Euler’s exploiter asking it to decrypt an encrypted message. But according to the experts CoinDesk spoke with, the message was a phishing scam attempting to steal the credentials for the Euler exploiter’s wallet.

  • Has Crypto Become Political?
    Has Crypto Become Political?
  • FTX Victims File to Recover $8B in Forfeited Assets; Will Biden and Trump Shake Hands Before Debate?
    FTX Victims File to Recover $8B in Forfeited Assets; Will Biden and Trump Shake Hands Before Debate?
  • DJT Token Rallied 180% on Trump Rumors
    DJT Token Rallied 180% on Trump Rumors
  • How Fed's Interest Rate Decisions Could Affect Crypto
    How Fed's Interest Rate Decisions Could Affect Crypto
  • The unlikely exchange from one crypto hacker to another spurred confusion on Crypto Twitter and rang alarm bells at Euler Finance, which was already days into its own on-chain effort to recover the $200 million. Euler is a platform for borrowing and lending cryptocurrencies on the Ethereum blockchain.

    The Lazarus Group is a hacker group allegedly tied to North Korea. Observers have accused Lazarus of mounting a multibillion-dollar campaign against the crypto world, the proceeds of which are said to fund North Korea's weapons program.

    Minutes after the Ronin hacker wallet messaged the Euler hacker wallet, developers at Euler Finance tried to intervene with messages of their own. They warned their own hacker to be wary of the purported decryption software, saying “the simplest way out here is to return funds.”

    Euler developers continued in a separate transaction, “Do not try to view that message under any circumstance. Do not enter your private key anywhere. Reminder that your machine may be also compromised.”


    The Ronin hackers’ overtures may be a thinly veiled attempt to trick the Euler hacker into surrendering the private key – and thus the crypto – they stole from Euler Finance, said Hudson Jameson, a former developer at the Ethereum Foundation. But he said the motives behind the on-chain messages remain unclear.

    “In my opinion, it is unknown why they are asking, but it definitely could be an attempt to see if the Euler hacker falls for a phishing attempt," Jameson told CoinDesk.

    Stephen Tong, co-founder of security audit firm Zellic.io, speculated Ronin’s purported encrypted message may well contain an “offer” for the Euler hacker, “but we can't know for sure since we can't decrypt the message without the private key.”

    The on-chain drama comes as Euler Finance tries to mount its own negotiation via messages encoded on the Ethereum blockchain. It was Euler Finance’s pleas for the return of $200 million that the hacker responded to Tuesday:

    “We want to make this easy on all those affected. No intention of keeping what is not ours,” the hacker wrote back to Euler Finance, seemingly ignoring the Ronin exploiter’s attempted phish. The message continued: “will communicate shortly.”

    The Ronin Bridge exploiter and the Euler Finance exploiter both did not immediately return a request for comment.

    Tuesday’s messages weren’t the first time the two exploiters crossed paths. On March 17, the Euler Finance exploiter sent 100 ether (ETH) to wallets connected to the Lazarus Group’s Ronin heist. It was unclear why.

    The messages highlight how Ethereum can be a platform for the unlikeliest of conversations, said Jameson.

    “As opposed to centralized systems that maintain control of the messaging, the Euler exploiter provides an example of new age communications and processes in response to a public smart contract exploit."


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Elizabeth Napolitano

    Elizabeth Napolitano was a news reporter at CoinDesk.

    Sage D. Young

    Sage D. Young was a tech protocol reporter at CoinDesk. He owns a few NFTs, gold and silver, as well as BTC, ETH, LINK, AAVE, ARB, PEOPLE, DOGE, OS, and HTR.