Russian hackers, not North Korean, may be the bad actors behind probably the biggest ever theft from a cryptocurrency exchange.

Japanese newspaper Asahi Shimbun reports Monday that virus variants known to be linked to Russian hackers have been found on employee computers at the Tokyo-based Coincheck exchange.

Coincheck suffered a breach in January 2018 that resulted in the loss of 500 million NEM tokens worth around $530 million at the time – an amount even bigger than that lost by Mt. Gox.

According to the report, the malware found at the exchange had been emailed to employees and included types called Mokes and Netwire, which allow malicious distributors to gain access to victims’ machines and operate them remotely. Mokes apparently first appeared on a Russian bulletin board in 2011, while Netwire has been around for 12 years.

The Coincheck hack has previously been linked with North Korea. In a report last February, South Korea’s National Intelligence Service (NIS) said that phishing scams and other methods had yielded tens of billions of won in customer funds. The country’s authorities were said at the same time to be probing whether North Korea was behind the Coincheck attack.

Cybersecuirty firm Group-IB also made the link between the allegedly North Korean state-sponsored hacking team and Coincheck in an October report.

Based on an analysis of the viruses, a U.S. cybersecurity expert told the Ashahi Shimbun that Russian or Eastern European hackers may be linked to the Coincheck attack.

Hacker image via Shutterstock