Cyber Incident Victim: CoinsPaid

On or around July 22, 2023, the cryptocurrency payments platform CoinsPaid suffered a significant security breach of its internal systems. This incident resulted in the theft of $37.3 million from the company. The attack forced CoinsPaid to halt all of its operations for a period of four days as the company worked to contain the breach and assess the damage. Following this initial response period, the firm was able to confirm that its operations were back up and running, albeit within a new and limited environment that had been established to enhance security. Despite the considerable financial damage inflicted upon the platform and the firm's own balance sheet, CoinsPaid assured its users that their funds remained intact and were not compromised during the event.

The company publicly disclosed its suspicions regarding the perpetrators on July 26, 2023, pointing to the North Korean state-backed Lazarus Group as the entity responsible for the hack. CoinsPaid described Lazarus Group as one of the most powerful hacker organizations operating globally. While the specific technical details of how the breach was executed and how the funds were exfiltrated were not disclosed by the company, the attribution to such a sophisticated threat actor suggests a highly complex and targeted attack. CoinsPaid expressed a belief that the cybercrime organization had been pursuing a much larger sum of money than what was ultimately stolen. The company stated that Lazarus Group expected the attack on CoinsPaid to be far more successful, but the efforts of the company's dedicated team of experts minimized the impact, leaving the attackers with what CoinsPaid characterized as a record-low reward for their efforts.

In response to the incident, CoinsPaid took formal steps to engage with law enforcement and cybersecurity experts. Three days after the hack occurred, the company filed a report with Estonian law enforcement authorities to initiate a formal investigation into the exploit. Furthermore, CoinsPaid enlisted the assistance of several prominent blockchain security firms to aid in its preliminary investigation during the first critical days following the breach. These firms included Chainalysis, Match Systems, and Crystal, whose expertise in tracking blockchain transactions and analyzing malicious activity would have been crucial in tracing the stolen funds and understanding the attack vectors used. The CEO of CoinsPaid, Max Krupyshev, expressed strong confidence that the Lazarus Group would ultimately be held accountable for their actions, stating with conviction that the hackers would not escape justice.

This incident was not viewed in isolation by the wider cybersecurity community. Blockchain security firm SlowMist suggested that the CoinsPaid hack could potentially be linked to two other recent major cryptocurrency exploits. These included the hack of Atomic Wallet, which was exploited for approximately $100 million, and the hack of Alphapo, which suffered losses of around $60 million. This potential connection points to a broader campaign targeting cryptocurrency service providers by a highly capable threat actor, consistent with the known modus operandi of the Lazarus Group. The group has a long and well-documented history of targeting the cryptocurrency industry to fund state operations, making them a prime suspect in a series of high-value heists.

The tactics employed by the Lazarus Group often extend beyond technical exploits to include sophisticated social engineering schemes. Around the same time as the CoinsPaid disclosure, online coding platform GitHub reported with high confidence that Lazarus Group was actively conducting a social engineering campaign targeted specifically at professionals working in the cryptocurrency and cybersecurity sectors. According to a detailed post by cybersecurity platform Socket.Dev, the group's objective in these campaigns is to lure in these high-value targets and compromise their GitHub accounts. The initial point of contact is frequently made on a social media platform such as WhatsApp, where the attackers build rapport with their victims under false pretenses. Once a level of trust is established, the victims are manipulated into cloning malware-laden GitHub repositories or installing malicious NPM packages. These packages are infected with malware designed to infiltrate and compromise the victim's computer systems, potentially providing the attackers with a foothold into corporate networks or access to sensitive code repositories and credentials.

This method of operation highlights the dual approach often taken by advanced persistent threat groups, combining technical hacking skills with psychological manipulation to achieve their goals. The targeting of software developers and cybersecurity professionals is particularly concerning, as these individuals often possess access to critical infrastructure and sensitive systems. The compromise of a single developer's account could lead to a supply chain attack or provide the initial access needed for a much larger breach, such as the one experienced by CoinsPaid. Socket.Dev urged extreme caution within the software development community, advising developers to meticulously review repository invitations before collaborating and to be highly wary of unsolicited approaches on social media that encourage the installation of npm packages or the cloning of unfamiliar repositories.

The CoinsPaid incident serves as a stark reminder of the persistent and evolving threat posed by nation-state actors to the cryptocurrency ecosystem. The Lazarus Group's involvement underscores the high level of sophistication and resources that these attackers bring to bear, seeking to extract large sums of digital assets to support state interests. The fact that the attack was detected and the impact was mitigated to a degree, as claimed by CoinsPaid, demonstrates the importance of having a dedicated and responsive security team. However, the successful theft of $37.3 million also illustrates the challenges that even security-conscious companies face when defending against a determined and well-resourced adversary. The event disrupted business operations for nearly a week, indicating the severe operational impact such a security incident can have, necessitating a complete rebuild of the operational environment to ensure continued security and functionality. The collaboration with external blockchain analysis firms was a critical step in the investigation, highlighting the industry-wide effort required to combat such threats and trace stolen funds across the blockchain.