The North Korean hacker group, Lazarus, infamous for targeting the crypto space to support its nuclear program, is believed to have attempted a phishing scheme on the Euler Finance exploiter.

The Euler Finance exploiter, which had stolen around $200 million in Ethereum, received an on-chain note on March 22, from a wallet address linked with the Ronin Bridge attackers, suspected to be Lazarus.

The note contained an encrypted message requesting Euler’s hacker to decrypt the message using the private keys, likely an attempt to drain stolen funds from the wallet.

Experts warn the Euler hacker to avoid falling for the phishing trap and stealing login credentials. Euler Finance has been in talks with the hacker via on-chain communication to settle the deal, asking the hacker to return funds. The hacker is cooperating with Euler Finance and has returned 3,000 ETH (about $5.4 million) to the victim firm.

However, the latest message by the Lazarus hacker group has raised concerns, creating confusion in the community as to what the hacker might do next.

The security firm Arkham Intel revealed that the two hackers had interacted on March 17, with Euler’s exploiter sending 100 Ethereum to the Ronin attacker. Euler Finance is a non-custodial DeFi protocol that was hit by an exploit on March 13, resulting in massive losses.

The victim firm has been trying to settle the deal with the hacker, and the two parties were close to reaching an agreement before the Lazarus group’s intervention. Hudson Jameson, a senior developer at the Ethereum network, suspects that the Lazarus group’s message is an attempt to conduct a phishing scheme.