Collaborating closely with cybersecurity firm, Match Systems, CoinsPaid, said that the attack was carried out by the notorious Lazarus Group.
According to CoinsPaid, the attack on its platform is similar to that done on Atomic Wallet by the same group. In June 2023, the Lazarus Group stole over $100 million from Atomic Wallet in a cryptocurrency heist.
The group targeted more than 5,500 digital wallets, making this their largest operation since a similar attack on U.S. cryptocurrency company Harmony.
Atomic Wallet had previously acknowledged compromised wallets and sought assistance from Chainalysis for investigation.
In describing the process taken by the group, CoinsPaid said that the attack began in March 2023, as Lazarus hackers embarked on a relentless six-month endeavor to infiltrate the company’s impregnable defenses.
The attackers left no stone unturned, launching a barrage of attempts ranging from social engineering to DDoS and Brute Force attacks.
Posing as a Ukrainian Crypto processing startup, the hackers approached key CoinsPaid engineers with seemingly innocent queries in March.
Then, the attacks escalated in April-May 2023, targeting CoinsPaid employees and customers.
The malicious campaign in June-July involved bribing and fake-hiring critical company personnel.
Finally, on July 22, 2023, a meticulously planned assault breached CoinsPaid’s infrastructure, leaving them vulnerable to a full-scale intrusion.
Crypto.com job offer
Furthermore, the crypto firm said that the hackers exploited an employee’s interaction with a juicy, false job offer from Crypto.com.
The interview process which cunningly led to the installation of an application harboring malicious code.
The hackers then accessed profiles and keys from the compromised computer, effectively gaining entry to CoinsPaid’s infrastructure. Armed with newfound access, the hackers identified a vulnerability in the cluster via which they struck.
Leveraging their in-depth knowledge, the attackers manipulated authorized requests, facilitating the withdrawal of funds from CoinsPaid’s hot wallets. However, internal security measures swiftly detected the breach, thwarting their efforts and avoiding further damage.
Securing the crypto industry
In the wake of the incident, CoinsPaid said that amidst the backdrop of widespread KYC measures and blockchain risk systems, hackers effectively laundered stolen funds, exploiting blockchain intricacies and delayed marked address distribution.
The company resolved to join forces with Match Systems to trace and halt the funds’ path, utilizing blacklists, notifications, and watchlists.
Much of the money flowed through SwftSwap, echoing tactics used by Lazarus in the Atomic Wallet breach.
It is also calling on all crypto platforms, to advocate for stronger security practices. The company plans to catalyze industry’s defense through shared experiences and a roundtable discussion.