CoinsPaid Falls Victim to North Korean Hackers Details of Fake Job Offers Bribery and Employee Manipulation

Translation: Wu Talks About Blockchain
On July 22, 2023, the cryptocurrency payment provider CoinsPaid was hacked, resulting in the theft of $37.3 million. According to security company investigations, the attackers were identified as the Lazarus hacker group. This article details the hacker attack on CoinsPaid, providing valuable insights for other cryptocurrency practitioners.
The following is the full content (original link):
Lazarus Hacker Group Associated with the Attack
Based on our internal investigation, we have reason to suspect that the top hacker organization Lazarus may be the mastermind behind the attack on CoinsPaid. The hackers used the same strategies and money laundering schemes that Lazarus used in a recent attack on Atomic Wallet.
Lazarus organization has been touted by the media as the “world’s top global cyber threat organization,” conducting hacker activities worldwide. Although the exact number of members and their names have not been confirmed, this cybercrime organization is linked to the North Korean government.
From 2009-2013, the “Trojan Operation” was Lazarus’s first major attack targeting government websites in the United States and South Korea.
In 2014, Lazarus gained global recognition for its hack on Sony Pictures: the perpetrators released the company’s confidential files, including information about employees, their employment contracts, and even their family members.
In 2017, Lazarus struck again: the WannaCry ransomware attack in May 2017 was a global cyber attack targeting computers running the Microsoft Windows operating system, encrypting data and demanding bitcoin ransom. The hack lasted for four days and infected over 300,000 computers worldwide.
As the cryptocurrency market becomes more popular and grows in capitalization, the Lazarus team has begun targeting numerous cryptocurrency platforms. So far, the list of affected companies includes over 20 companies, including Axie Infinity ($625 million), Horizon Bridge ($100 million), and Atomic Wallet ($100 million).
There are many speculations about Lazarus’s long-term goals and the reasons for the increased frequency of attacks. Many experts believe that the team’s activities are an extension of North Korea’s desire to acquire foreign currency.
Hackers Spent 6 Months Tracking and Studying CoinsPaid
We now know that Lazarus spent six months attempting to penetrate the CoinsPaid system and find vulnerabilities. Since March 2023, we have been continuously recording various types of unsuccessful attacks on the company, from social engineering to DDos and brute force attacks. On March 27, 2023, CoinsPaid’s chief engineer received a request from a purported Ukrainian cryptocurrency processing startup containing a series of questions about the technical infrastructure, which had already been confirmed by three key developers of the company. In April and May 2023, we experienced four major attacks on our system aimed at gaining access to CoinsPaid employees and customers’ account credentials. The relentless and aggressive phishing attacks and social engineering activities against our team members continued. In June and July 2023, malicious activities involving bribery and false hiring of key company personnel took place. On July 7, 2023, a large-scale, carefully planned, and prepared attack was launched on CoinsPaid’s infrastructure and applications. From 20:48 to 21:42, we recorded exceptionally high network activity involving over 150,000 different IP addresses.
The primary goal of the criminals was to trick key employees into installing software for remote computer control, thereby penetrating and accessing CoinsPaid’s internal systems. After six months of failed attempts, the hackers finally succeeded in attacking our infrastructure on July 22, 2023.
Social Engineering – The “Most Dangerous” Security Threat in 2023
Since it was impossible to breach the CoinsPaid system from the outside without gaining access to employee computers, the attackers used highly sophisticated and powerful social engineering techniques. According to CS Hub’s research, 75% of cybersecurity experts consider social engineering and phishing attacks the top threat in cybersecurity.
Fake LinkedIn recruitment, bribery, and manipulation of employees
Recruiters from cryptocurrency companies contacted CoinsPaid employees via LinkedIn and various messaging tools, offering very high salaries. For example, some of our team members received job invitations with monthly salaries ranging from $16,000 to $24,000. During the interview process, the criminals attempted to persuade candidates to install the JumpCloud Agent or a special program to complete technical tasks.
JumpCloud is a directory platform that allows enterprises to verify, authorize, and manage users and devices, reportedly breached by the Lazarus Group hackers in July 2023, targeting its cryptocurrency users.
While it may seem obvious to attempt to install malicious software on an employee’s computer, hackers spent six months understanding all possible details of CoinsPaid, our team members, our company’s structure, and more. Top hacker teams like Lazarus can create a completely believable story to exploit potential targets.
Tracking the Steps of the Attack
In today’s highly digital world, deceiving a person is much easier than deceiving computer software. By manipulating a CoinsPaid employee, the hackers successfully attacked our infrastructure. One of our employees responded to a job invitation from Crypto.com. During the interview, they were given a test task that required installing an application with malicious code. Upon opening the test task, data and keys were stolen from the computer to establish a connection with the company’s infrastructure. After gaining access to CoinsPaid’s infrastructure, the attackers exploited a vulnerability in the cluster and opened a backdoor. During the exploration phase, the knowledgeable criminals obtained information that allowed them to replicate legitimate requests to interact with the blockchain and extract funds from our operational repository.
In simple terms, the hackers gained access to create authorization requests, allowing them to extract funds from CoinsPaid’s hot wallet. These requests were considered valid and sent to the blockchain for further processing. However, the perpetrators failed to breach our hot wallet and directly access the private keys to the funds.
Internal security measures triggered alarm systems, allowing us to quickly thwart malicious activities and expel the hackers from the company’s premises.
Blockchain Scoring Ineffective Against Money Laundering
Despite many cryptocurrency companies adopting KYC measures and using blockchain risk scoring systems to detect suspicious activities, the criminals still managed to launder money successfully. The reasons are as follows