July 24th - Security incident post-mortem

Summary

On July 24, 2025, WOO X experienced a sophisticated security incident that resulted in $14 million in unauthorized withdrawals from 9 user accounts. There is evidence that this attack was perpetrated by UNC4899, a North Korean state-sponsored cyber espionage group aligned with the Reconnaissance General Bureau and known publicly as Lazarus Group, TraderTraitor, and Jade Sleet.

The attack began with social engineering targeting our development team through what appeared to be a legitimate open-source collaboration request. A team member was approached on an open-source software forum to help debug a development tool. After a brief discussion, the developer downloaded the file on mobile, then used their company-issued MacBook to open the file. Prior to opening, the file was assessed for malware, but the scan was negative. After running, the program downloaded a hidden backdoor that resembled a common backend process. This allowed the exploiter to maintain access to the development environment, and after a period of time, find an opportunity to make changes in the database, gaining access to 9 accounts from which withdrawals were initiated. 

The unauthorized withdrawals were detected 2 hours later, immediately halted, and all affected users were fully compensated from WOO's treasury. Over the following three weeks, an investigation and remediation process ensued. This led to a number of new security and risk measures being implemented, along with a full migration of the development environment.

Incident recap

The incident originated from a targeted social engineering attack against our development team. The threat actor:

1. Researched WOO's development practices and identified team members active in open-source communities
2. Crafted a legitimate-seeming collaboration request for debugging assistance on a development tool
3. Delivered malware disguised as open-source code 

Timeline of Events

June 28, 2025

• External party approaches WOO developer on open-source forum requesting collaboration on development tool debugging

July 8, 2025

• Developer downloads project file on mobile device
• File AirDropped to company MacBook to access using development tools (Cursor)
• Backdoor deploys undetected, establishing persistent access

July 9, 2025

• First evidence of threat actor accessing Google Cloud (GCP) environment via compromised developer's VPN session
• Actor leverages existing 2FA-protected VPN connection from infected MacBook

July 10, 2025

• Threat actor accesses Google Kubernetes Engine (GKE) resources
• Begins reconnaissance of Argo CD and Apollo deployment infrastructure

July 11, 2025 - July 24, 2025

• Privilege escalation achieved: Actor deploys malicious POD revealing Kubernetes management service account token
• Deploys backdoor in microservice POD for persistent access to production environment
• For the two weeks after deploying the backdoor, no threat active behavior was observed
• Persistent access validated but unused during this period

July 24, 2025

• 13:50 UTC+8: Threat actor returns via backdoor in node server
• Uses previously extracted database credentials to access backend systems
• Replaces user emails, passwords, and 2FA seeds for 9 high-value accounts
• First unauthorized withdrawal initiated
• 15:40 UTC+8: Suspicious activity detected and contained
• Immediate response: Withdrawals suspended platform-wide, affected user account details restored

Impact Assessment

Financial Impact

• $14 million in unauthorized withdrawals from 9 user accounts
• Funds stolen across multiple chains: Bitcoin, Ethereum, BNB, Arbitrum
• 100% user compensation provided from WOO treasury

Operational Impact

• Withdrawal services suspended for security review
• Enhanced monitoring and incident response procedures activated
• Development environment isolation and forensic analysis
• No impact to trading services

User Impact

• 9 users experienced account compromise
• All affected users contacted directly and compensated fully
• Platform trading remained operational throughout incident

The treasury loss does not impact WOO's operational runway or business continuity - WOO maintains substantial reserves and a diversified treasury structure. 

Response Actions

Immediate Response (July 24)

• Real-time detection: Suspicious withdrawal patterns identified within 2 hours
• Instant containment: All withdrawals suspended platform-wide
• User notification: Affected users contacted directly
• Asset tracking: Initiated monitoring of stolen funds across all chains

Investigation & Forensics

• External expertise: Engaged external security firms for comprehensive incident response
• Threat hunting: Full environment scan for additional compromise indicators
• Attribution analysis: Suspected involvement of UNC4899 or UNC5565 (North Korea)
• Infrastructure review: Complete GCP and Kubernetes environment analysis

Preventive Measures & Security Enhancements

WOO has always prioritized security, and this incident reinforces our commitment to protecting user funds. While no system is immune to nation-state level attacks, we are implementing industry-leading security measures to prevent similar incidents.

Immediate app hardening (Completed)

We have deployed comprehensive detection and monitoring capabilities across our infrastructure:

• Container XDR deployed for enhanced Kubernetes attack detection and visibility
• IOC signatures created for UNC4899 and other targeted threat actor groups
• Security Command Center enabled for GCP-wide abnormal activity monitoring
• GCP session validity reduced to 8 hours (from 24 hours)
• IAM and service account audit completed - no abnormal accounts found
• Cloud Armor/Firewall review completed - no malicious rules detected

Environment Migration 

We redeployed the entire WOO X production cloud infrastructure to ensure complete threat actor removal. This includes building new isolated development infrastructure with enhanced segmentation, implementing zero-trust architecture across all systems, and deploying automated security scanning for all development artifacts.

Our technology and security teams will continue implementing additional enhancements over the coming months, including expanded network controls, enhanced service account management, and deeper infrastructure monitoring capabilities.

Enhanced code review processes now apply to all external contributions with mandatory security scanning. Development environments are completely isolated from production systems, and comprehensive social engineering awareness training has been implemented for all technical staff.

Real-time behavioral analytics now identify unusual account access patterns, with machine learning-based anomaly detection specifically for withdrawal monitoring. Enhanced logging and event management (SIEM) capabilities provide complete infrastructure visibility, supported by regular threat hunting exercises.

Notice to users

In the wake of this incident, we’ve seen an increase in scams trying to take advantage of concerned WOO users, and we urge everyone to be vigilant about social engineering attacks. In several cases, scammers responded to user inquiries about withdrawal delays, posing as assistance providers offering to verify or secure funds, though their methods vary in specific approach.

If you are ever contacted by someone claiming to be from WOO, be sure to verify the authenticity of an official domain or email. If you are unsure, here are the domains that contact users on behalf of the various platforms:

• WOOFi: woofi.com
• WOO X: woox.io
• Email: [name]@woo.network
• Foundation: woo.org

Telegram admins can be verified in the official WOO channel (t.me/woo_english) with a Customer Support or Admin tag. Be wary of imposters who use profile photos and names of admins in attempts to initiate conversations in direct messages. 

Conclusion

This incident reflects the broader security challenges facing the cryptocurrency industry in 2025. Web3 projects lost $3.1 billion to exploits in the first half of 2025 alone, already exceeding all losses recorded across the entirety of 2024. 

Recent similar incidents include the $1.5 billion Bybit breach in February 2025 and the $50m CoinDCX hack. The pattern is clear: as technical defenses improve, attackers are increasingly focusing on human vulnerabilities to achieve their objectives. 

We extend our deepest gratitude to our users for their patience and trust during this period. We know that trust is earned, not given, and we're humbled by your willingness to stand with us as we work to make things right.

We're equally grateful to the external security teams whose expertise proved invaluable: Seal911 for their emergency response coordination, zeroShadow, Hypernative and Verichains for their blockchain analytics and threat intelligence, Hacken for their security insights, and other security firms for their comprehensive forensic investigation and attribution analysis. Their rapid response reminded us that we are part of something larger than ourselves, an ecosystem of people genuinely committed to building a safer crypto future.

We also want to acknowledge the dedication of our internal team members who worked around the clock to maintain platform operations, support the investigation, and implement critical security measures. Their sleepless nights and unwavering patience during this incident helped to minimize uncertainty and disruption to users.

The crypto industry faces unprecedented threats from sophisticated nation-state actors, but incidents like these also reveal how much we depend on each other. We couldn't have responded as effectively without the expertise and goodwill of our partners and community.

WOO will emerge from this incident more secure, more vigilant, and more committed to our users than ever before.