Notorious North Korean hacking group Lazarus is suspected to have been behind the exploit of cryptocurrency payments platform CoinsPaid.
The attack, which took place on July 22, saw hackers compromise CoinsPaid’s internal systems and get away with $37 million in crypto from company reserves.
CoinsPaid Believes North Korean State-Sponsored Hacking Group Behind Exploit
According to an official statement released by the company, it holds Lazarus Group responsible for the hack. CoinPaid also apologized to customers for going offline as the attack had affected all services on the platform.
The crypto payments provider promised that user funds “stayed intact” during the hack but did considerable damage to the platform’s availability as company revenue was heavily affected.
CEO Max Krupyshev announced that after a few days of downtime, CoinsPaid services are back up and running in a “new secured environment” with limited capacity. The chief underlined that he expects the platform to take a few more days to “sort out minor details” and ensure that all its systems function smoothly.
CoinsPaid believes that the cybercriminals expected the attack to give them a much larger bounty than what turned out. The company thanked its security team that worked “tirelessly” to fortify the systems and minimize the impact which left Lazarus with a “record-low reward”. CoinsPaid said its security measures and procedures were instrumental in preventing a huge loss.
CoinsPaid Working With Law Enforcement and Cybersecurity Agencies To Track Stolen Funds
While CoinsPaid did not explain how the attack took place or which assets were stolen, the hack forced the platform to halt operations for four days. Immediately after the exploit, CoinsPaid got in touch with blockchain security agencies Chainanalysis, Match Systems, and Crystal to track down the stolen funds.
The crypto payments platform, with over 23 billion euros in total crypto transactions processed, filed a complaint with Estonian law enforcement three days later to further investigate the exploit.
Krupyshev is confident that Lazarus Group will be held accountable for the hack and will be brought to justice. CoinsPaid did not reveal which assets were stolen or how the attack took place.
On-chain security firm SlowMist says the hack was attributed to North Korean hackers because it was similar in nature to the ones that recently occurred on Atomic Wallet and Alphapo, which saw a combined $160 million in crypto stolen from both platforms.
SlowMist discovered that wallet TGGMvM3hCQnmDnteP2ynt3RVkrEp2S11Ag received 118,351,300 Tron (TRX) worth around $10 million from another wallet connected to the Alphapo incident – TJXXmeUbie3JBfK7H3UQb43sWnbhhdTJQx.
Interestingly, this address also got paid funds from the CoinsPaid hot wallet on the day of the hack. This amount was funneled through wallets TNMW5iEH7CCudMTGFJA9Ch6KSf6J3hAJem and TJ6k7aisPehQFdwyEbasPjLCCHqYUb3xuf.
Further investigation revealed that TNMW5iEH7CCudMTGFJA9Ch6KSf6J3hAJem also received funds from TJXXmeUbie3JBfK7H3UQb43sWnbhhdTJQx, the wallet to which funds were stolen in the Atomic Wallet hack were transferred to.
Lazarus – One of the World’s Most Feared Hacking Groups
The infamous hacking group has the crypto world frightened. Lazarus is believed to be behind some of the major crypto heists that occurred over the past year, such as Axie Infinity ($625 million), Horizon Bridge ($100 million), Atomic Wallet ($100 million), and Alphapo ($23 million).
The group is responsible for stealing an estimated $1.7 billion in digital assets from various crypto platforms, which it allegedly uses to fund North Korea’s weapons programs.
Earlier this month, the cloud-based software development platform GitHub warned that Lazarus is targeting users who are part of the cryptocurrency and cybersecurity sectors.
Cybersecurity platform Socket.Dev put out a blog post in which it explained that Lazarus is conducting a “social engineering campaign” targeting tech developers. The cloud security expert explained that the state-sponsored nefarious actors get in touch with victims through social media platforms like WhatsApp, where they build a rapport and then lead them to fake GitHub repositories.
Once the victims type in their GitHub details, their accounts are comprised and computer devices will be infiltrated with malware-infected NPM packages, which steal all information that is available including private and administrative keys to crypto wallets.
Socket.Dev is urging software developers to closely review repository invitations before deciding to collaborate and be cautious when approached via social media asking to install NPM packages.
CoinsPaid said it will organize a round table discussion with all Lazarus victims to create a new initiative aimed at “minimizing and preventing such attacks in the future”. The company has asked major crypto platforms, including Binance, Kraken, Coinbase, Bitfinex, and OKX to become a part of the alliance.
