CoinsPaid, in conjunction with Match Systems, conducted a detailed investigation of the recent attack by Lazarus Group, revealing the details of the hack and how the stolen funds were laundered.
CoinsPaid, the world’s largest crypto payment provider, disclosed the results of its investigation of the recent Lazarus Group attack on its infrastructure. The investigation was conducted in cooperation with Match Systems. The results show that the hackers spent about six months studying CoinsPaid and tracking the peculiarities of the company’s payment services. The company also tracked the hackers’ actions minute by minute during the attack and identified which services and platforms were used to launder the stolen funds.
The company has been under attack since March 2023. DDos and BruteForce methods were used to search for vulnerabilities. For example, a massive attack on CoinsPaid’s infrastructure and applications was recorded on July 7. Within an hour, unusually high network activity was observed, with more than 150,000 different IP addresses involved in the attack.
Social engineering was also actively used. Throughout the spring, the hackers sought out details of the technical infrastructure in various ways. For instance, one of the attempts to obtain such information was disguised as a request from a Ukrainian crypto processing startup.
Social engineering techniques also involved aggressive email spamming and phishing aimed at gaining access to the CoinsPaid team members’ and customers’ accounts. In June and July, the hackers initiated fake hiring of critical company employees, sending out offers on LinkedIn and via different messengers.
Fake recruiters sent out job offers with salaries ranging from $16,000 to $24,000 per month. During the interview process, “candidates” were tricked into installing the JumpCloud Agent or a special program to complete technical tasks containing malware. According to the report, JumpCloud was apparently hacked in July 2023, specifically to attack cryptocurrency companies.
Notably, all actions were meticulously planned, looked extremely plausible, and caused no doubt in the victims’ minds. The hackers spent half a year studying CoinsPaid, gathering information about the structure and technical features of the company in order to form such conditions. Eventually, on July 22, 2023, the hackers were able to attack the company’s infrastructure. They gained access to an employee’s computer and obtained data to establish a connection to CoinsPaid’s infrastructure, after which they opened a backdoor by exploiting a vulnerability in the cluster.
The report points out that there was no way to compromise CoinsPaid’s systems externally. The attackers couldn’t hack into CoinsPaid’s hot wallets either, having obtained private keys for direct access to funds. But the backdoor and careful technical preparation allowed them to create authorized requests to withdraw funds from hot wallets. The system accepted such requests as valid, and then they were sent to the blockchain for further processing. Some time later, internal security tools signaled suspicious activity, and the vulnerability was eliminated thereafter.
Immediately after the attack, Match Systems specialists were involved and conducted a set of operational measures to track and possibly freeze the stolen funds. Thus, the entire chain of transactions used by the hackers for money laundering was traced. Most of the assets, having passed through swap services, mixers, and Avalanche Bridge, were transferred to the attackers’ addresses through the SwftSwap service. They lost about 15% on fees and volatility. Work on recovering the stolen funds is ongoing.
Lazarus Group’s involvement is evidenced by the use of the same money laundering tactics and schemes used in the recent Atomic Wallet attack.
The CoinsPaid report provides more details and a list of recommendations to reduce the likelihood of similar incidents in the future. The company also plans to hold a special event with key players in the crypto payments market to share lessons learned and help minimize the impact of hacker attacks.
It’s worth noting that social engineering and phishing are the main threats to cybersecurity — this opinion was expressed by 75% of surveyed professionals during the CS Hub research. And specialists from the company revealed that in 2022, the number of phishing attacks in the crypto market increased by 40% compared to the previous year.