UK markets closed
  • FTSE 100

    -18.06 (-0.22%)
  • FTSE 250

    +24.27 (+0.11%)
  • AIM

    +1.56 (+0.20%)

    +0.0007 (+0.06%)

    -0.0007 (-0.06%)
  • Bitcoin GBP

    +1,500.13 (+3.09%)
  • CMC Crypto 200

    +1.51 (+0.11%)
  • S&P 500

    +18.96 (+0.34%)
  • DOW

    +507.88 (+1.26%)

    -0.90 (-1.10%)

    +40.90 (+1.68%)
  • NIKKEI 225

    +84.40 (+0.20%)

    -287.96 (-1.60%)
  • DAX

    -72.86 (-0.39%)
  • CAC 40

    -52.68 (-0.69%)

Hacker vs. Hacker: North Koreans Attempt to Phish Euler Exploiter of $200M in Crypto, Experts Say


Join the most important conversation in crypto and web3! Secure your seat today

Euler Finance’s efforts to recover nearly $200 million in stolen crypto hit yet another wrinkle Tuesday after a wallet linked to North Korean hackers tried to swindle the decentralized finance (DeFi) protocol’s exploiter.

The so-called Ronin bridge exploiter, which last March stole $625 million worth from crypto game Axie Infinity, sent an on-chain note to Euler’s exploiter asking it to decrypt an encrypted message. But according to the experts CoinDesk spoke with, the message was a phishing scam attempting to steal the credentials for the Euler exploiter’s wallet.

The unlikely exchange from one crypto hacker to another spurred confusion on Crypto Twitter and rang alarm bells at Euler Finance, which was already days into its own on-chain effort to recover the $200 million. Euler is a platform for borrowing and lending cryptocurrencies on the Ethereum blockchain.


The Lazarus Group is a hacker group allegedly tied to North Korea. Observers have accused Lazarus of mounting a multibillion-dollar campaign against the crypto world, the proceeds of which are said to fund North Korea's weapons program.

Minutes after the Ronin hacker wallet messaged the Euler hacker wallet, developers at Euler Finance tried to intervene with messages of their own. They warned their own hacker to be wary of the purported decryption software, saying “the simplest way out here is to return funds.”

Euler developers continued in a separate transaction, “Do not try to view that message under any circumstance. Do not enter your private key anywhere. Reminder that your machine may be also compromised.”


The Ronin hackers’ overtures may be a thinly veiled attempt to trick the Euler hacker into surrendering the private key – and thus the crypto – they stole from Euler Finance, said Hudson Jameson, a former developer at the Ethereum Foundation. But he said the motives behind the on-chain messages remain unclear.

“In my opinion, it is unknown why they are asking, but it definitely could be an attempt to see if the Euler hacker falls for a phishing attempt," Jameson told CoinDesk.

Stephen Tong, co-founder of security audit firm, speculated Ronin’s purported encrypted message may well contain an “offer” for the Euler hacker, “but we can't know for sure since we can't decrypt the message without the private key.”

The on-chain drama comes as Euler Finance tries to mount its own negotiation via messages encoded on the Ethereum blockchain. It was Euler Finance’s pleas for the return of $200 million that the hacker responded to Tuesday:

“We want to make this easy on all those affected. No intention of keeping what is not ours,” the hacker wrote back to Euler Finance, seemingly ignoring the Ronin exploiter’s attempted phish. The message continued: “will communicate shortly.”

Read more: Euler Finance to Offer $1M Reward as It Reels From Nearly $200M Exploit

The Ronin Bridge exploiter and the Euler Finance exploiter both did not immediately return a request for comment.

Tuesday’s messages weren’t the first time the two exploiters crossed paths. On March 17, the Euler Finance exploiter sent 100 ether (ETH) to wallets connected to the Lazarus Group’s Ronin heist. It was unclear why.

The messages highlight how Ethereum can be a platform for the unlikeliest of conversations, said Jameson.

“As opposed to centralized systems that maintain control of the messaging, the Euler exploiter provides an example of new age communications and processes in response to a public smart contract exploit."