Date:: July 22nd, 2023
Amount Stolen:: $37,000,000 from Coinspaid, $60,000,000 from Alphapo?
Tags:: 👛
Lazarus gained access to hot wallets belonging to crypto payment platform CoinsPaid via a successful social engineering attack. This access allowed the attackers to create authorized requests to withdraw approximately $37.3 million in crypto assets from the platform’s hot wallets.
On July 26th, CoinsPaid published a report claiming Lazarus was responsible for this attack. This attribution was later confirmed by the FBI.
AlphaPo lost $60M and it barely raises an eyebrow… Stories of compromised hot wallets leave little to be said. But one thing’s for sure, Lazarus isn’t getting bored.
CoinsPaid revealed that it experienced a $37m hot wallet hack along with AlphaPo on the same day last week. It too eventually called North Korean state actors as the likely culprit behind the attack.
We now know that Lazarus, the supposed hacker group behind the attack, spent half a year trying to infiltrate the CoinsPaid systems and find vulnerabilities.
Since March 2023, we have been registering constant unsuccessful attacks on the company of various kinds, ranging from social engineering to DDos and BruteForce.
On March 27, 2023, key CoinsPaid engineers received requests from an allegedly Ukrainian crypto processing startup with a list of questions regarding technical infrastructure, as confirmed by 3 major developers of the company.
In April-May 2023, we experienced 4 major attacks on our systems aimed at gaining access to the accounts of CoinsPaid employees and customers. The spam and phishing activities against our team members were constant and highly aggressive.
In June-July 2023, a malicious campaign was carried out involving bribing and fake-hiring critical company personnel.
On July 7, 2023, a massive, carefully planned and prepared attack was executed targeting CoinsPaid infrastructure and applications. From 20:48 to 21:42, we registered unusually high network activity: over 150,000 different IP addresses were involved.
The perpetrators’ main goal was to trick a critical employee into installing software to gain remote control of a computer for the purpose of infiltrating and accessing CoinsPaid's internal systems. After 6 months of failed attempts, the hackers managed to attack our infrastructure on July 22, 2023, successfully.
Based on the timing, the Alphapo heist could have been due to the JumpCloud intrusion (see para. 136). CoinsPaid noted that “Recruiters from crypto companies contacted CoinsPaid employees via LinkedIn and various Messengers, offering very high salaries. For instance, some of our team members received job offers with compensation ranging from 16,000-24,000 USD a month. During the interview process, the perpetrators aimed to trick the candidates into installing the JumpCloud Agent or a special program to complete a technical task.”
Match System specialists discovered similar patterns that Lazarus previously used in their recent 100M USD Atomic Wallet hack.
Hackers utilised swap services, such as SunSwap, SwftSwap, and SimpleSwap, as well as Sinbad cryptocurrency mixer, to launder illegally obtained funds without any KYC and AML procedures.
The Sinbad mixer volumes chart shows significant spikes in operations volume and a significant balance fluctuation on the cluster, coinciding with the time of both attacks.
In both CoinsPaid and Atomic wallet hacks, most of the stolen funds were sent in the form of USDT to the SwftSwap cryptocurrency service on the Avalanche-C blockchain. A small portion of the stolen funds was sent to the Yobit exchange.
Just like the Sinbad mixer, the SwftSwap service volumes chart shows a significant increase in the number of transactions during the attacks on Atomic Wallet and CoinsPaid.
This unfortunate incident provided some valuable experiences and insights for CoinsPaid that can help decrease both the number of hacking incidents in the crypto market and their scale of impact on the industry. Here is the list of practical tips our security experts have compiled that other cryptocurrency providers can implement to boost hacker protection significantly.
-
Do not ignore cybersecurity incidents, i.e. attempts to break into your company's infrastructure, social engineering, phishing, etc. This may be a sign of hackers preparing for a major attack.
-
Explain to your employees how perpetrators use fake job offers, bribing, and even ask for harmless tech advice to access the company's infrastructure.
-
Implement security practices for privileged users.
-
Implement the principles of Separation of Duties and Least Privilege.
-
Ensure the protection of employees' workstations.
-
Keep infrastructure components up to date.
-
Segment networks and implement authentication and encryption between infrastructure components.
-
Create a separate security log store to upload all relevant events.
-
Set up a monitoring and alerting system for all suspicious activity in your infrastructure and applications.
-
Create an honest violator model and take measures adequate to the threats and risks that your business bears.
-
Keep track of operating balances and monitor their unusual movement and behaviour.
-
Reduce the funds available for the operation of the company to the necessary minimum.
-
https://coinspaid.com/company-updates/the-coinspaid-hack-explained/
-
https://theblock.co/post/241607/lazarus-group-suspected-by-coinspaid-of-37-million-hack
-
https://fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk
-
https://coinspaid.com/tpost/0zx28tmj51-coinspaid-is-back-to-processing-after-be
-
https://elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics
-
https://blockchaingroup.io/coinspaid-likely-new-victim-in-a-series-of-hacks-by-the-lazarus-group/
-
https://coinspaid.com/tpost/k4r6jt90p1-the-coinspaid-hack-explained
-
https://news.bloomberglaw.com/crypto/crypto-firm-coinspaid-reports-37-million-hack-to-estonia-police
-
https://dlnews.com/articles/defi/how-north-korea-lazarus-group-stole-crypto-from-coinspaid/
-
Page 534 + 535 of The 2023 UN Report