On July 24, 2025, the cryptocurrency platform WOO X suffered a sophisticated targeted attack in which $14 million was siphoned from nine user accounts. All evidence points to the operation being orchestrated by the North Korean hacking collective UNC4899 (also known as Lazarus Group, TraderTraitor, or Jade Sleet), operating under the auspices of the DPRK’s intelligence apparatus. The company has since published a detailed incident report.
The attack began with a carefully crafted social engineering campaign directed at one of WOO’s developers. The perpetrators posed as members of the open-source community, offering assistance in debugging a development tool. After a brief exchange on a technical forum, the developer downloaded the provided file to a mobile device and later opened it on a company-issued MacBook.
Despite undergoing antivirus scanning, the file contained a hidden backdoor disguised as a system process. This foothold provided persistent access to WOO’s development environment, enabling the attackers to conduct reconnaissance, obtain administrative tokens, and alter critical details of nine valuable accounts—email addresses, password hashes, and two-factor authentication secrets. Several weeks later, they initiated withdrawals across multiple networks, including Bitcoin, Ethereum, BNB, and Arbitrum.
The unauthorized transactions were detected within two hours and immediately halted. All affected users were fully reimbursed from WOO’s treasury. The withdrawals were executed within an active VPN session protected by two-factor authentication—the attackers did not bypass defenses but instead embedded themselves within a legitimate context. Exploited technologies included Google Cloud Platform (GCP), Kubernetes (GKE in particular), Argo CD, and Apollo. A malicious pod was injected into one of the microservices, providing a covert and persistent channel that remained active until the incident was uncovered.
A timeline reconstruction revealed that the initial contact with the developer occurred on June 28, privilege escalation began on July 10, and the fund extractions took place on July 24. Withdrawals were promptly frozen platform-wide, user data was restored, and the breach was contained.
Over a three-week investigation, WOO conducted a full audit of its infrastructure and rolled out sweeping security measures. These included complete isolation and migration of all environments, the deployment of XDR solutions in containerized systems to detect Kubernetes-level attacks, activation of the Google Security Command Center, reduction of GCP session lifetimes to eight hours, updated IAM policies, and stricter filtering of all service accounts. Assets were migrated to an entirely new infrastructure built from scratch with Zero Trust principles and stringent segmentation.
All third-party code is now subject to mandatory automated security reviews, development has been completely isolated from production, and staff have undergone training to recognize social engineering tactics. Behavioral analytics powered by machine learning models now track anomalies in access and withdrawals. The SIEM system has been enhanced, and continuous threat hunting has been implemented.
WOO also warned of a new wave of phishing attacks, in which adversaries impersonate WOO support staff to deceive users anxious about withdrawal delays. The company urges users to verify the authenticity of all domains and emails.
The Lazarus Group incident is but one link in a chain of cyber offensives in 2025: in the first half of the year alone, Web3 lost $3.1 billion to exploits, already surpassing the total losses recorded in 2024. February saw the Bybit breach costing $1.5 billion, while April brought the CoinDCX incident at $50 million. Increasingly, the targets are not the technologies themselves but the people behind them—developers, engineers, and administrators.
Despite the attack, WOO X remained fully operational, and company reserves were unaffected. WOO emphasized that user protection remains its highest priority and pledged to continue strengthening its defenses at every level. “We endured thanks to our partners, experts, and community—and with them, we will emerge stronger,” the company declared.
