ALEX said forensic tracing produced substantial evidence linking the May XLink/ALEX exploit to Lazarus Group. The update says the exploit address 0x418e337774d26365efeaa4700e889a9746330c4e sent funds to 0x639F61cA3E0e3fDCd654DC4A22579e7382dEBeA3, which used a TRON address ALEX identified as known Lazarus infrastructure. ALEX said it was working with law enforcement and cybersecurity experts to recover assets and strengthen platform security. The source presents the attribution as transaction-based evidence rather than a completed law enforcement finding.