CoinsPaid attacked by North Korean hackers: fake recruitment, bribery, and manipulation of employees

Original Title: 《The Hack of Cryptocurrency Payment Provider Explained: We Know Exactly How Attackers Stole and Laundered $37M USD》

Author: CoinsPaid

Translated by: Wu Says Blockchain

On July 22, 2023, the cryptocurrency payment provider CoinsPaid was hacked, resulting in the theft of $37.3 million. According to an investigation by a security company, the attackers were part of the Lazarus hacker group. This article details the hacking incident as written by CoinsPaid, providing valuable insights for other cryptocurrency practitioners.

The full content is as follows:

The Lazarus Hacker Group Related to the Attack

Based on our internal investigation, we have reason to suspect that the top hacker organization Lazarus may be the mastermind behind the attack on CoinsPaid. The hackers used the same tactics and money laundering schemes employed in the recent Atomic Wallet attack.

The Lazarus organization has been publicized by the media as "the world's top cyber threat organization today," conducting hacking activities around the globe. Although the exact number of members and their identities have not been confirmed, this cybercrime organization is linked to the North Korean government.

From 2009 to 2013, the "Operation Troy" was the first major attack launched by Lazarus, targeting government websites in the United States and South Korea.

In 2014, Lazarus gained global recognition for its hack on Sony Pictures: the perpetrators released the company's confidential documents, including information about employees, their work contracts, and even their family members.

In 2017, Lazarus struck again: the WannaCry ransomware attack was a global cyberattack in May 2017 that targeted computers running the Microsoft Windows operating system, encrypting data and demanding a ransom in Bitcoin. This hacking incident lasted for four days and resulted in over 300,000 computers being infected worldwide.

As the cryptocurrency market became increasingly popular and grew in capitalization, the Lazarus team began targeting numerous cryptocurrency platforms. To date, the list of victim companies includes over 20 firms, including Axie Infinity ($625 million), Horizon Bridge ($100 million), and Atomic Wallet ($100 million).

There are many speculations about Lazarus's long-term goals and the reasons for the increased frequency of attacks. Many experts believe that the team's activities are an extension of North Korea's desire to acquire foreign currency.

The Hackers Spent 6 Months Tracking and Researching CoinsPaid

We now know that Lazarus spent half a year trying to penetrate CoinsPaid's systems and look for vulnerabilities.

• Since March 2023, we have continuously recorded various types of unsuccessful attacks against the company, ranging from social engineering to DDoS and brute force attacks.
• On March 27, 2023, CoinsPaid's lead engineer received a request from a so-called Ukrainian crypto processing startup, which contained a series of questions about the technical infrastructure, confirmed by three of the company's main developers.
• In April and May 2023, we experienced four major attacks on our systems aimed at gaining access to CoinsPaid employees' and customers' accounts. Spam and phishing activities targeting our team members were persistent and highly aggressive.
• In June and July 2023, malicious activities involving bribery and manipulation of key company personnel took place.
• On July 7, 2023, a large-scale, well-planned, and prepared attack was launched against CoinsPaid's infrastructure and applications. From 20:48 to 21:42, we recorded an unusually high level of network activity involving over 150,000 different IP addresses.

The main goal of the criminals was to trick key employees into installing software to remotely control computers, thereby penetrating and accessing CoinsPaid's internal systems. After six months of failed attempts, the hackers finally succeeded in attacking our infrastructure on July 22, 2023.

Social Engineering — The "Most Dangerous" Security Threat of 2023

As it was impossible to breach CoinsPaid's systems from the outside without gaining access to employees' computers, the attackers employed highly sophisticated and powerful social engineering techniques. According to research from CS Hub, 75% of cybersecurity experts believe that social engineering and phishing attacks are the number one threat in cybersecurity.

Impersonating LinkedIn Recruitment, Bribery, and Manipulating Employees

Recruiters from cryptocurrency companies contacted CoinsPaid employees via LinkedIn and various messaging tools, offering very high salaries. For example, some of our team members received job offers with monthly salaries ranging from $16,000 to $24,000. During the interview process, the criminals attempted to entice candidates into installing the JumpCloud Agent or a special program to complete technical tasks.

JumpCloud is a directory platform that allows businesses to verify, authorize, and manage users and devices, and it was reportedly hacked by the Lazarus Group in July 2023, targeting its cryptocurrency users.

While one might think that attempting to install malware on employees' computers is obvious, the hackers spent six months understanding all possible details about CoinsPaid, our team members, our company's structure, and more. Top hacker teams like Lazarus can create a completely credible story to exploit potential targets.

Step-by-Step Tracking of the Attack

In today's highly digital world, deceiving a person is much easier than deceiving computer software. By manipulating an employee of CoinsPaid, the hackers successfully attacked our infrastructure.

1. One of our employees responded to a job invitation from Crypto.com.
2. During the interview, they received a test task that required installing an application with malicious code.
3. Upon opening the test task, data and keys were stolen from the computer to establish a connection with the company's infrastructure.
4. After gaining access to CoinsPaid's infrastructure, the attackers exploited a vulnerability in the cluster and opened a backdoor.
5. During the exploration phase, the information obtained by the knowledgeable criminals allowed them to replicate legitimate requests to interact with the blockchain and extract the company's funds from our operational repository.

In simple terms, the hackers gained access that allowed them to create authorization requests to withdraw funds from CoinsPaid's hot wallet. These requests were treated as valid and sent to the blockchain for further processing. However, the perpetrators failed to breach our hot wallet and directly obtain the private keys to access the funds.

Internal security measures triggered the alarm system, enabling us to quickly halt malicious activities and drive the hackers out of the company's scope.

Blockchain Scoring Ineffective Against Money Laundering

Despite many cryptocurrency companies adopting KYC measures and using blockchain risk scoring systems to detect suspicious activities, the perpetrators still successfully laundered money. The reasons are as follows:

According to standard procedures following any hacking incident, CoinsPaid notified all major exchanges and cybersecurity companies about the event, providing information about the hacker addresses. They were then included in a tag shared within the community to prevent further movement and laundering of funds associated with these addresses.

However, when moving funds to subsequent addresses, the distribution of tags can take up to 60 minutes. According to our investigation, the CoinsPaid hackers transferred funds to new addresses within minutes before the tags could catch up with the perpetrators' actions.

This vulnerability rendered blockchain scoring essentially ineffective in preventing and minimizing the impact of the 2023 hacker organization's money laundering schemes.

Funds Tracking: Tracing and Freezing Stolen Funds

To assist in the investigation, CoinsPaid partnered with Match Systems, a leader in cybersecurity specializing in blockchain analysis, working with law enforcement and regulatory agencies to facilitate the return of stolen crypto assets. With the help of Match Systems experts, over $70 million has been recovered in dozens of criminal cases.

Immediately following the attack, a series of operational measures were taken to trace and potentially freeze the stolen funds.

Step 1: All major blockchain analyzers blacklisted the hacker's addresses.

Step 2: Urgent notifications were sent to all major cryptocurrency exchanges and AML officials, informing them of the hacker addresses containing the stolen assets.

Step 3: The hacker's addresses were placed on Match Systems' watchlist.

After taking the necessary measures to increase the likelihood of temporarily blocking the stolen funds, Match Systems experts continued to track the flow of funds using blockchain analyzers, native browsers, and the company's own tools. Once the funds circulated through exchanges and swap services, additional tags were placed on the attackers' addresses to see if the funds had moved across chains.

The Vast Majority of Funds Withdrawn to SwftSwap

Based on the above steps, we were able to fully trace the stolen funds. The vast majority of the funds were withdrawn to the SwftSwap service in the form of USDT tokens on the Avalanche-C blockchain. Subsequently, part of the funds was sent in a second round to the Ethereum blockchain and further transferred to Avalanche and Bitcoin networks.

In fact, most of the funds on SwftSwap were withdrawn to the attackers' large transaction addresses. These same addresses were used to transfer stolen funds from Atomic Wallet, giving us more reason to believe that Lazarus may be responsible for this attack.

So far, the laundering activities of the CoinsPaid hackers are ongoing, and we will continue to closely monitor this lead with Match Systems experts.

Loss of 15% in Fees and Price Fluctuations

Preliminary estimates indicate that a significant portion of the stolen funds is likely to be lost due to the hackers' "operational costs."

• 10% was used for a one-time large token "market" exchange: sellers collected most of the trades from the order book, leading to significant price slippage. The largest losses occurred when the hackers initially exchanged USDT for TRX.
• 5% was lost in commissions, discounts on tokens with questionable histories, and other fees. This also includes additional costs for purchasing accounts registered for "drops" on exchanges and payment services, as well as for the hackers and remote management programs.

Lazarus Used Similar Strategies in the Atomic Wallet Attack

Experts from Match Systems identified a similar pattern previously used by Lazarus in its recent $100 million attack on Atomic Wallet.

1. Using the Same Swap Services and Mixers

The hackers utilized swap services such as SunSwap, SwftSwap, and SimpleSwap, as well as the Sinbad cryptocurrency mixer, to launder illegally obtained funds without any KYC and AML procedures.

The trading volume chart for Sinbad shows a significant spike in operational volume during both attacks, and there were notable fluctuations in balances on the cluster.

2. Extracting Stolen Funds via Avalanche Bridge

In the hacks of CoinsPaid and Atomic Wallet, most of the stolen funds were sent to the SwftSwap cryptocurrency service in the form of USDT on Avalanche-C. A small portion of the stolen funds was sent to the Yobit exchange.

Similar to the Sinbad mixer, the trading volume chart for the SwftSwap service shows a noticeable increase in transaction numbers during the attacks on Atomic Wallet and CoinsPaid.

Lessons Learned from the Hacking Incident

This unfortunate event provided CoinsPaid with valuable experiences and insights that can help reduce the number of hacking incidents in the cryptocurrency market and the scale of their impact on the industry.

Here is a practical list of recommendations compiled by our security experts for other cryptocurrency providers, which can significantly enhance their ability to defend against hackers.

1. Do not ignore cybersecurity incidents, such as attempts to breach the company's infrastructure, social engineering, phishing, etc. This may be a sign that hackers are preparing for a large-scale attack.

2. Explain to employees how criminals use fake job invitations, bribery, and even requests for harmless technical advice to access company infrastructure.

3. Implement security practices for privileged users.

4. Implement the principles of separation of duties and least privilege.

5. Ensure the protection of employee workstations.

6. Keep infrastructure components updated.

7. Segment the network and implement authentication and encryption between infrastructure components.

8. Create a separate security log storage to upload all relevant events.

9. Set up monitoring and alert systems for all suspicious activities in infrastructure and applications.

10. Create a model of honest violators and take appropriate measures against the threats and risks faced by your business.

11. Track operational balances and monitor for abnormal movements and behaviors.

12. Reduce the company's operational funds to the necessary minimum.