Previously, it was suspected that the attack, which took in January 2018 and cost the exchange $534 million in NEM, had originated from North Korea. However, the viruses found on the affected computers have now been identified as “Mokes” and “Netwire”; both previously used by Russian hackers.
“From the analysis of the virus, Eastern Europe and Russia may be related to the server criminal group," an US-based expert quoted by Asahi Shimbun said.
The attack was carried out by infecting personal computers belonging to the exchanges’ employees. The viruses then likely gave the hackers access to the exchange’s private keys and allowed them to operate infected computers remotely.