Lazarus Group Spent Six Months Trying to Penetrate CoinsPaid Systems for Weaknesses: Report

Estonian crypto-payments service provider CoinsPaid found that the notorious hacking group Lazarus spent six months tracking and studying the platform before finally attacking on July 22nd.

ConsPaid collaborated with cybersecurity firm Match Systems to track the perpetrators’ steps minute by minute, as well as identify what services and platforms were used to launder the funds. In a press release shared with CryptoPotato, the platform said that Lazarus Group spent half a year trying to infiltrate the CoinsPaid systems and find vulnerabilities.

Orchestrating $37.3M Theft

Since March, CoinsPaid revealed having been hit by constant unsuccessful attacks of various kinds, ranging from social engineering to DDos and BruteForce. During the same period, key engineers of the company were approached by an entity purporting to be a Ukrainian crypto-processing startup presenting a set of technical infrastructure-related inquiries. This interaction was corroborated by three key developers within CoinsPaid.

In April and May, CoinsPaid encountered four significant assaults targeting its systems which sought unauthorized access to the accounts belonging to both the company’s employees as well as its clients. The spam and phishing activities against the team members were constant and highly aggressive, the press release stated.

The following month of June and July witnessed the orchestration of a malicious campaign that involved a combination of bribing and fictitious employment offers, all directed at crucial personnel within the company.

The attacker launched a meticulously planned and executed assault against the CoinsPaid infrastructure and applications on July 7th. The attack, which unfolded between 20:48 and 21:42, demonstrated an unprecedented surge in network activity, recording an engagement of over 150,000 distinct IP addresses.

Tracing the Attack

The primary objective of the culprits was to deceive a key staff member into installing software, enabling them to establish remote control over a computer by infiltrating and accessing CoinsPaid’s internal systems. Despite six months of unsuccessful attempts, the attackers eventually managed to breach its infrastructure on July 22nd which resulted in the loss of $37.5 million.

The attackers used highly sophisticated and vigorous social engineering techniques to gain access to an employee’s computer. Recruiters from crypto companies reached out to CoinsPaid employees via LinkedIn and various Messengers, offering enticingly high salaries.

After one of its employees responded to a job offer posing to be Crypto.com, they received a test assignment that required the installation of an application with malicious code. Upon opening the test task, the employee’s profiles and keys were stolen from the computer to set up a connection with CoinsPaid’s infrastructure.

The access enabled the hackers to create authorized requests to withdraw funds from CoinsPaid hot wallets. But the perpetrators were not able to breach the hot wallets and acquire private keys to access funds directly. 

“Internal security measures triggered the alarm system and allowed us to swiftly stop the malicious activity and throw the hackers out of the company’s perimeter.”

CoinsPaid further stated that despite crypto companies complying with the KYC measures and using blockchain risk scoring systems to detect suspicious activity, the perpetrators still managed to launder the stolen funds successfully.

The company pointed fingers at the Lazarus group since the hackers used similar tactics in the Atomic Wallet heist.