North Korean attackers linked to a recent crypto exploit could be behind the latest crypto business security causality, according to data cited by blockchain sleuth ZachXBT and verified by CoinDesk.

CoinEx exchange was hacked for an estimated $27 million on Tuesday – a figure that later ballooned to $54 million worth of tokens drained from the exchange as details of several impacted wallets were released by the exchange through Wednesday afternoon.

The hackers siphoned ether (ETH), XRP, tron’s TRX, MATIC, solana’s SOL, kadena’s KDA and dagger’s XDAG tokens after exploiting a lax security measure on wallets used by the exchange. CoinEx has since released over 10 “suspicious” addresses on several networks, such as Ethereum, BNB Chain, and Arbitrum, where the tokens were transferred.

Analysis of these wallets by popular blockchain sleuth ZachXBT shows some transactions were routed to wallets that were involved in a $41 million exploit of crypto betting platform Stake earlier this month. Those wallets are linked to the North Korean attacker group Lazarus, infamous for targeting crypto businesses.

Another address was seemingly directly funded by the Stake attacker earlier this week and then received tokens from the CoinEx attack,

Meanwhile, CoinEx said Wednesday that the impacted funds represented a small amount of total user holdings and that all remaining assets on the exchange “remained safe.”

The Samoa-registered CoinEx traded over $22 million across 730 offered trading pairs on its platform in the past 24 hours, data shows.