Investigating the CoinsPaid Hack!

icon FOR
Photo - Investigating the CoinsPaid Hack!
The audacious breach of crypto payment giant CoinsPaid appears to bear the hallmark of Lazarus – the elusive North Korean faction known for navigating the Web3 waters in pursuit of Kim Jong-un's military endeavors. Shockingly, they allegedly siphoned off $37 million from CoinsPaid on July 22.
While some might be tempted to view North Koreans as somewhat naive or undereducated, it's impossible to dismiss the cunning and expertise of the Lazarus group. This crew was breaking into digital fortresses long before the buzz of cryptocurrencies echoed through the mainstream corridors of the multi-billion-dollar tech world.

The allure of crypto brought a renewed sense of purpose to their digital escapades. Given the extensive sanctions against North Korea, turning to cyber heists for easy-to-convert currency was more than just profitable—it became a lifeline. Their not-so-enviable resume boasts major infiltrations like those of Axie Infinity, valued at $625 million, Horizon Bridge at $100 million, and the breach of Atomic Wallet, also at $100 million.

After suffering their own cyber debacle, the CoinsPaid team was swift to dive into the breach's anatomy. It became clear that Lazarus' playbook hadn't deviated much since the Atomic Wallet incident. This raises a dual-edged revelation: firstly, the digital realm is yet to craft an effective defense against these virtual buccaneers. Yet, it's unfair to dub CoinsPaid as an easy target. The hackers had been weaving their intricate web for 6 months, tirelessly hunting for a chink in the armor. Their arsenal? A cocktail of DDos attacks, BruteForce techniques, relentless spam, crafty phishing schemes, and even audacious plans to covertly rope in the platform's key experts.

But their ultimate weapon? Crafty social engineering. A few weeks before the breach, on a particularly ominous July 7, 2023, CoinsPaid's defenses were blitzed. The digital onslaught was staggering, mobilizing over 150,000 unique IP addresses. The objective was sinisterly simple: trick a pivotal staffer into downloading a rogue application. Once executed, the hackers seized remote control of his workstation, granting them a backstage pass to CoinsPaid's digital sanctum.

To get a sense of the breadth and depth of Lazarus' operations, consider this: in the same month, they pulled off a heist on the JumpCloud platform—a hub that facilitates authentication processes for corporations. With this ace up their sleeve, the group had the leverage to make some unexpected, and undoubtedly crafty, moves on CoinsPaid.

Just before the breach, several CoinsPaid staff, while using what they believed to be the safe realm of LinkedIn, started getting enticing job proposals from cryptocurrency company recruiters. These pitches dangled the carrot of high salaries, anywhere between $16,000 to $24,000 a month. The catch? During the preliminary stages of their interview process, these individuals were prompted to download and install the JumpCloud Agent software for a test assignment. One employee took the bait, thinking it was a genuine offer from the Crypto Com exchange. Importantly, CoinsPaid doesn't place blame on their employee, acknowledging that the attackers showcased a high level of expertise and precision.

After securing access to CoinsPaid's systems, these adversaries set up a backdoor, draining the company's operational funds storage. And the fallout from that action was considerable.

To counteract this violation, CoinsPaid collaborated with Match Systems, a cybersecurity powerhouse that boasts a track record of recovering more than $70 million in assets. In a bid to trace and potentially freeze the absconded funds, the hackers' addresses were put on a comprehensive blockchain analyzer blacklist. Additionally, top crypto exchanges and AML service personnel received immediate alerts about these specific identifiers. It was this exact strategy that spotlighted Lazarus's involvement when an address linked to the Atomic Wallet's breach was identified.

CoinsPaid views this incident as a valuable lesson and is determined to seek resolution. It's unlikely that the bold North Korean crypto culprits will voluntarily return the stolen funds. Hence, the response will have to be as cunning and calculated as the hack itself.

For those keeping tabs, GN Crypto has previously had an in-depth conversation with CoinsPaid's CEO, Max Krupyshev.