Executive Summary
Table of Contents
On July 22nd, 2023, CoinsPaid, the world’s leading crypto payments provider, suffered a significant cyberattack, resulting in the theft of $37.3M USD.
This report presents a detailed account of the attack, the actors believed to be responsible, and the methods they used, both technical and social, to carry out their heist.
Introduction
The CoinsPaid ecosystem was allegedly attacked by the Lazarus Hacking Group, leading to the theft of $37.3 million USD.
CoinsPaid conducted its own investigation in partnership with Match Systems and was able to trace the attack every minute as well as track the attackers’ money trail.
Background: The Lazarus Hackers
Brief Introduction
The Lazarus hacker group, linked to the North Korean government, is suspected of orchestrating the attack on CoinsPaid. They have a notorious history spanning over a decade, targeting major corporations, government entities, and cryptocurrency platforms.
Historical Attacks
- Operation Troy (2009-2013): Targeted US and South Korean government websites.
- Sony Pictures Hack (2014): Leaked sensitive company and employee information.
- WannaCry Ransomware Attack (2017): Infected 300,000+ computers globally.
- Crypto-targeted Attacks: Hacks on Axie Infinity, Horizon Bridge, and Atomic Wallet, among others.
The Preparation Phase: 6 Months of Persistence
Early Attempts
From March 2023, Lazarus made several attempts to breach CoinsPaid’s systems through methods such as social engineering, DDos, and BruteForce attacks.
Infiltration Strategy
- Since March 2023, CoinsPaid has been recording consistent unsuccessful attacks on their company, spanning various techniques from social engineering to DDos and BruteForce.
- On March 27, 2023, prominent CoinsPaid engineers were approached by what seemed to be a Ukrainian crypto-processing startup. They were presented with queries about the technical infrastructure, a detail verified by three leading developers within CoinsPaid.
- Throughout April and May 2023, CoinsPaid was subjected to four significant attacks on their systems. These attacks were aimed at accessing the accounts of both CoinsPaid employees and customers. During this period, their team members faced a relentless barrage of spam and aggressive phishing attempts.
- In the months of June and July 2023, there was an orchestrated effort to bribe and falsely recruit essential personnel from the company.
- On July 7, 2023, CoinsPaid fell victim to a vast and meticulously organized cyber assault, targeting their infrastructure and applications. During a brief window from 20:48 to 21:42, the company observed an alarming surge in network activity, with participation from over 150,000 unique IP addresses.
- The ultimate objective of the assailants was to deceive a pivotal employee into installing software, thereby gaining remote control over a computer. This move was strategically positioned to breach and access CoinsPaid’s internal systems. After enduring six months of thwarted infiltrations, the culprits successfully compromised CoinsPaid’s defenses on July 22, 2023.
The Power of Social Engineering
Rise of Social Engineering
The inability to directly hack into CoinsPaid made the attackers pivot to social engineering techniques, now considered a significant threat to cybersecurity.
Recruitment Deception
Using platforms like LinkedIn, the attackers made lucrative job offers to CoinsPaid employees, tricking them into downloading malicious software under the pretense of a “technical task”.
For instance, some of CoinsPaid’s team members received job offers with compensation ranging from 16,000-24,000 USD a month.
During the interview process, the attackers aimed to deceive the candidates into installing the JumpCloud Agent or a specific program to complete a technical task.
JumpCloud, a directory platform that enables enterprises to authenticate, authorize, and manage users and devices, was allegedly compromised by the Lazarus Group in July 2023 to target its cryptocurrency users.
Anatomy of the Attack
Deception and Malware
In the digital age, where software security has tightened, human vulnerabilities can be the weak link. An unsuspecting CoinsPaid employee was lured by a fraudulent job offer from Crypto.com.
During the recruitment process, the individual was presented with a task that required the download and installation of an application. This application, however, was embedded with malicious code.
Once activated, it stealthily extracted critical access credentials from the employee’s device, subsequently providing the hackers with a bridge into CoinsPaid’s intricate systems.
Exploiting the Breach
Having secured a gateway into the system, the hackers didn’t waste any time. They utilized the stolen information and, capitalizing on an identified vulnerability within CoinsPaid’s infrastructure, began to create what appeared to be authentic transaction requests.
Their primary goal was to drain funds from the company’s hot wallets, and given their deep access, these requests seemed entirely genuine.
Response
Despite the hackers’ sophisticated techniques, they hadn’t anticipated the robustness of CoinsPaid’s security protocols.
The company’s internal detection mechanisms quickly recognized the unauthorized activities. Alarms were triggered, and swift action was taken.
CoinsPaid managed to halt the malicious activities temporarily and subsequently ejected the hackers from their system, showcasing the importance of having multi-layered security in place.
Money Laundering and The Blockchain
The Inadequacy of Blockchain Scoring Systems
- Standard Procedures Post-Hacking: Following the CoinsPaid breach, the company immediately informed all key exchanges and cybersecurity agencies, sharing specifics about the hackers’ addresses.
- The Markup Challenge: Distributing markup to subsequent addresses can take up to an hour. This delay allows hackers to transfer funds to new addresses much quicker than the system can mark and flag them, making blockchain scoring largely ineffective.
Tracing the Stolen Funds: Match Systems Comes to the Rescue
Partnering with Experts
CoinsPaid collaborated with Match Systems, a prominent figure in cybersecurity that specializes in blockchain analytics. Their track record boasts the recovery of over $70,000,000 in multiple criminal cases.
Immediate Post-Attack Measures
- Blacklisting the hackers’ addresses on all leading blockchain analyzers.
- Urgently notifying all significant cryptocurrency exchanges and AML officers about the hacker’s addresses.
- Adding the hackers’ addresses to the Match Systems watchlist.
Detailed Money Trail Analysis
Match Systems used a combination of blockchain analyzers, native explorers, and their tools to trace the flow of the stolen funds, even when they crossed chains through exchanges and swap services.
Major Destinations: Funds Mostly Moved to SwftSwap
Tracing the Stolen Money
The majority of the stolen funds landed in the SwftSwap service as USDT tokens. Subsequent movements of these funds took them to the Ethereum, Avalanche, and Bitcoin blockchains.
Connecting the Dots to Previous Hacks
A significant amount of funds on SwftSwap were linked to addresses previously associated with the Atomic Wallet hack. This similarity points towards a common perpetrator, possibly the Lazarus group.
Cost of the Attack to Hackers: Not as Profitable as They Thought
Losses in Token Exchange: A large portion of the stolen assets was lost due to market dynamics. When the hackers exchanged vast amounts of USDT for TRX, they incurred substantial price slippages, which amounted to almost 10% of their haul.
Additional Overheads: Further losses, up to 5%, came from commission fees, token sale discounts due to their questionable history, and other miscellaneous expenses. These include costs for procuring accounts on exchanges, hacking tools, and remote administration programs.
Conclusion
The CoinsPaid incident underscores the lengths to which sophisticated hacker groups will go to achieve their objectives. By understanding the tactics used by groups like Lazarus, businesses can better fortify themselves against future attacks.