Compiled by | Wu Talks about Blockchain
On July 22, 2023, the crypto payment provider CoinsPaid was hacked and $37.3 million was stolen. According to the security company's investigation, the attacker was the Lazarus hacker team. This article is the details of the hacker attack written by CoinsPaid to provide valuable experience for other crypto practitioners.
The following is the full text, original link:
https://coinspaid.com/tpost/k4r6jt90p1-the-coinspaid-hack-explained
Lazarus hacker group linked to the attack
Based on our internal investigation, we have reason to suspect that the top hacker group Lazarus may be behind the attack on CoinsPaid. The hackers used the same tactics and money laundering scheme that Lazarus used in the recent Atomic Wallet attack case.
The Lazarus Group has been touted by the media as "the world's top cyber threat group today," carrying out hacking activities around the world. Although the number of members and their names have not been determined, this cybercrime group is linked to the North Korean government.
Operation Troy was the first major attack by Lazarus from 2009–2013, targeting government websites in the United States and South Korea.
In 2014, Lazarus gained global recognition for its hack of Sony Pictures: the perpetrators released confidential company documents, including information about employees, their work contracts and even their family members.
In 2017, Lazarus struck again: The WannaCry ransomware attack was a global cyberattack in May 2017 that targeted computers running the Microsoft Windows operating system by encrypting data and demanding a ransom in Bitcoin. The hack lasted four days and resulted in more than 300,000 computers being infected worldwide.
As the crypto market became more popular and grew in capitalization, the Lazarus group began targeting numerous cryptocurrency platforms. So far, the list of victim companies includes more than 20 companies, including Axie Infinity ($625 million), Horizon Bridge ($100 million), and Atomic Wallet ($100 million).
There has been much speculation about Lazarus’ long-term goals and the reasons for the increased frequency of attacks. Many experts believe that the group’s activities are an extension of North Korea’s desire to obtain foreign currency.
Hackers spent 6 months tracking and researching CoinsPaid
We now know that Lazarus spent half a year trying to penetrate CoinsPaid systems and find vulnerabilities.
● Since March 2023, we have continuously documented unsuccessful attacks of various types against companies, from social engineering to DDos and brute force.
● On March 27, 2023, CoinsPaid’s main engineer received a request from a so-called Ukrainian crypto-processing startup containing a series of questions regarding the technical infrastructure, which was confirmed by 3 of the company’s main developers.
● In April–May 2023, we experienced 4 major attacks on our systems with the goal of gaining account access to CoinsPaid employees and customers. Spam and phishing campaigns targeting our team members were persistent and extremely aggressive.
● In June–July 2023, a malicious campaign involving bribery and false employment of key company personnel was conducted.
● On July 7, 2023, a large-scale, well-planned and prepared attack was carried out against CoinsPaid’s infrastructure and applications. From 20:48 to 21:42, we recorded abnormally high network activity: more than 150,000 different IP addresses were involved.
The criminals’ main goal was to trick key employees into installing software to remotely control their computers, thereby infiltrating and accessing CoinsPaid’s internal systems. After 6 months of failed attempts, the hackers finally succeeded in attacking our infrastructure on July 22, 2023.
Social Engineering — — The “Most Dangerous” Security Threat of 2023
Since it was impossible to hack into the CoinsPaid system from the outside without gaining access to an employee’s computer, the attackers used highly sophisticated and powerful social engineering techniques. According to research by CS Hub, 75% of cybersecurity experts consider social engineering and phishing attacks to be the top threats in cybersecurity.
Fake LinkedIn recruiting, bribing and manipulating employees
Recruiters from cryptocurrency companies contacted CoinsPaid employees through LinkedIn and various messaging tools, offering very high salaries. For example, some of our team members received job offers with monthly salaries of $16,000–24,000. During the interview process, criminals tried to trick candidates into installing JumpCloud Agent or a special program to complete technical tasks.
JumpCloud, a directory platform that allows businesses to authenticate, authorize, and manage users and devices, was reportedly hacked by the Lazarus Group in July 2023 in an effort to target its cryptocurrency users.
While you might think that trying to install malware on an employee’s computer is obvious, the hackers spent 6 months learning every possible detail about CoinsPaid, our team members, our company structure, etc. Top hacking teams like Lazarus are able to create a completely believable story to exploit potential targets.
Tracing the attack steps step by step
In the modern, highly digital world, it is much easier to deceive a person than to deceive computer software. By manipulating a CoinsPaid employee, hackers successfully attacked our infrastructure.
1. One of our employees responded to a job offer from Crypto.com.
2. During the interview, they received a test task that required installing an application with malicious code.
3. After opening the test task, data and keys were stolen from the computer to establish a connection with the company's infrastructure.
4. After gaining access to the CoinsPaid infrastructure, the attackers exploited a vulnerability in the cluster and opened a backdoor.
5. During the exploration phase, the information obtained by the intellectual criminals enabled them to replicate legitimate requests for interaction with the blockchain interface and extract the company's funds from our operational repositories.
In simple terms, the hackers gained access that allowed them to create authorization requests to withdraw funds from CoinsPaid's hot wallet. These requests were deemed valid and sent to the blockchain for further processing. However, the perpetrators were unable to break into our hot wallet and directly obtain the private keys to access the funds.
Internal security measures triggered the alarm system, allowing us to quickly stop the malicious activity and drive the hackers out of the company's perimeter.
Blockchain ratings are not effective in combating money laundering
Despite many cryptocurrency companies adopting KYC measures and using blockchain risk scoring systems to detect suspicious activities, perpetrators still succeed in laundering money. Here are the reasons:
Following standard procedure after any hack, CoinsPaid notified all major exchanges and cybersecurity firms of the incident, providing information about the hacker addresses. They were then included in a tag and shared among the community to prevent further movement and money laundering of funds associated with these addresses.
However, when moving funds to subsequent addresses, it took up to 60 minutes for the markers to be distributed. According to our findings, the CoinsPaid hackers moved funds to new addresses in just a few minutes before the markers caught up with the perpetrators’ actions.
This vulnerability renders blockchain scoring largely ineffective in preventing and minimizing the impact of the 2023 hacker group’s money laundering scheme.
Funds Tracking: Track and stop stolen funds
To assist in the investigation, CoinsPaid has entered into a partnership with Match Systems, a leader in cybersecurity that specializes in blockchain analysis and works with law enforcement agencies and regulators to accompany the process of returning stolen crypto assets. With the help of Match System experts, more than $70 million has been recovered in dozens of criminal cases.
A series of operational measures were immediately implemented after the attack to track and potentially freeze the stolen funds.
Step 1: All major blockchain analyzers blacklist the hacker’s addresses.
Step 2: An urgent notification was sent to all major cryptocurrency exchanges and AML officials, informing them of the hacker’s address containing the stolen assets.
Step 3: The hacker’s address is added to Match Systems’ watch list.
After taking the necessary steps to increase the probability of temporarily blocking the stolen funds, Match Systems experts continued to track the flow of funds through blockchain analyzers, native explorers, and the company’s own tools. Once the funds circulated through exchanges and exchange services, the attacker’s addresses were additionally marked to see if the funds had been moved across chains.
Most of the funds were withdrawn to SwftSwap
Based on the steps above, we were able to fully track the stolen funds. The vast majority of the funds were withdrawn to the SwftSwap service in the form of USDT tokens on the Avalanche-C blockchain. After that, part of the funds were sent to the Ethereum blockchain in a second round and further transferred to the Avalanche and Bitcoin networks.
In fact, most of the funds on SwftSwap were withdrawn to the attacker’s large transaction addresses. These same addresses were used to transfer the stolen funds from Atomic Wallet, giving us more reason to believe that Lazarus may be responsible for this attack.
As of now, the money laundering activities of the CoinsPaid hackers are still ongoing and we will continue to monitor this trail closely with Match System experts.
Lost 15% in fees and price fluctuations
Initial estimates suggest that a significant portion of the stolen funds were likely lost to the hackers’ “operating costs.”
● 10% for a one-time “market” exchange of large amounts of tokens: sellers collected most of the trades from the order book, causing huge price slippage. The biggest losses occurred when the hacker initially exchanged USDT for TRX.
● 5% on commissions, discounts for selling tokens with a questionable history, and other fees. This also includes additional costs for purchasing accounts registered for “drops” on exchanges and payment services, as well as hacking and remote administration programs.
Lazarus hackers used a similar tactic in the Atomic Wallet attack
Experts at Match System discovered a similar pattern previously used by Lazarus in its recent $100 million attack on Atomic Wallet.
1. Use the same Swap service and mixer
Hackers used swap services such as SunSwap, SwftSwap, and SimpleSwap, as well as the Sinbad cryptocurrency mixer, to launder illegally obtained funds without any KYC and AML procedures.
Sinbad’s transaction volume graph shows significant spikes in volume during the two attacks, and significant fluctuations in the balance on the cluster.
2. Withdrawing stolen funds through Avalanche Bridge
In the hacks of CoinsPaid and Atomic Wallet, most of the stolen funds were sent in the form of USDT to the SwftSwap cryptocurrency service on Avalanche-C. A small amount of the stolen funds were sent to the Yobit exchange.
As with the Sinbad mixer, the transaction volume chart for the SwftSwap service shows a clear increase in the number of transactions during the attacks on Atomic Wallet and CoinsPaid.
Lessons Learned from the Hack
This unfortunate incident has provided CoinsPaid with some valuable learnings and insights that can help reduce the number of hacking incidents in the crypto market, as well as the scale of their impact on the industry.
Below is a list of practical advice compiled by our security experts for other cryptocurrency providers that, when implemented, can significantly improve your protection against hackers.
1. Do not ignore cybersecurity incidents such as attempts to hack into a company’s infrastructure, social engineering, phishing, etc. This could be a sign that hackers are preparing for a large-scale attack.
2. Explain to employees how criminals can use fake job offers, bribes, or even requests for harmless technical advice to gain access to company infrastructure.
3. Implement security practices for privileged users.
4. Implement the principles of separation of duties and least privilege.
5. Ensure protection of employee workstations.
6. Keep infrastructure components updated.
7. Segment the network and implement authentication and encryption between infrastructure components.
8. Create a separate secure log storage to upload all relevant events.
9. Set up monitoring and alerting systems for all suspicious activities in your infrastructure and applications.
10. Create an honest offender model and take appropriate actions based on the threats and risks to your business.
11. Track operating balances and monitor them for unusual movements and behavior.
12. Reduce the company’s working capital to the necessary minimum.
