Estonian digital asset payment processor CoinsPaid has experienced its second security breach in the last six months, resulting in unauthorized transactions totaling nearly $7.5 million, as reported by web3 security firm Cyvers.
Cyvers’ AI system detected multiple irregular transactions at 1:26 pm GMT on January 6, leading to the withdrawal of $6.1 million worth of digital assets, including Tether (USDT), Ether (ETH), USD Coin (USDC), and CoinsPaid’s native token CPD. The attacker allegedly exchanged approximately 97 million CPD tokens, valued at around $368,000, for ETH, subsequently transferring the funds to externally owned accounts (EOAs) and various cryptocurrency exchanges, including MEXC, WhiteBit, and ChangeNOW.
Further analysis by Cyver uncovered additional unauthorized transactions involving BNB (Binance Coin) worth over $1 million, bringing the total stolen amount close to $7.5 million. Cyver shared transaction details on social media, including the hacker’s address.
As of now, CoinsPaid has not issued any official updates or announcements regarding the security breach.
CoinsPaid Faces Second Major Security Breach
The recent security incident marks the second breach for CoinsPaid within six months, following a prior hack in July 2023, where hackers made off with over $37.3 million. According to CoinsPaid, the recent breach involved an attacker deceiving one of its employees through a fake job interview, resulting in the download of malicious code that facilitated unauthorized access to CoinsPaid’s infrastructure.
In the July incident, the hackers employed sophisticated social engineering techniques by posing as potential employers and targeting individual workers. The compromised employee unwittingly downloaded malicious code, granting the hackers access to CoinsPaid’s infrastructure. Exploiting a vulnerability in the platform’s cluster, the attackers created a backdoor and acquired information that enabled them to mimic legitimate requests for interaction with the blockchain. This ultimately facilitated the withdrawal of funds from CoinsPaid’s operational storage vault.
CoinsPaid suspected the involvement of the Lazarus Group, a renowned group known for its sophisticated cyberattacks, in the July hack. The company collaborated with blockchain security firm Match Systems to trace the stolen funds, with a substantial portion identified on SwftSwap. The tactics utilized by the hackers in both the recent and July incidents closely resembled those associated with the Lazarus Group, heightening suspicion.
Following the recent breach, CoinsPaid promptly filed a report with Estonian law enforcement just three days after the incident to facilitate a comprehensive investigation. Blockchain security firms, including Chainalysis, Match Systems, and Crystal, played a crucial role in CoinsPaid’s initial investigation during the initial days.
Lazarus Group’s Cryptocurrency Holdings Exceed $47 Million
CoinsPaid confronts the formidable challenge of bolstering the security of its platform and infrastructure, given the occurrence of two significant security breaches within a span of six months. The cryptocurrency industry, grappling with evolving threats, has been contending with persistent challenges in fortifying the security of payment gateways.
Of notable concern is the Lazarus Group, a notorious North Korean hacking organization, which reportedly holds cryptocurrency assets exceeding $47 million. The bulk of their holdings comprises Bitcoin (BTC). In a report from institutional crypto platform provider 21.co in October 2023, it was revealed that wallets associated with the Lazarus Group contained approximately 1,600 Bitcoin, 10,810 Ether (ETH), and 64,490 Binance Coin (BNB). The cumulative value of cryptocurrency in the hacker group’s wallets was estimated at a staggering $75 million at the time of the report.