The Estonian payment processor for digital assets, CoinsPaid, has suffered its second security breach in the last six months, with unauthorized transactions totaling almost $7.5 million, web3 security firm Cyvers reported.
Cyvers’ artificial intelligence system identified multiple irregular transactions at 1:26 pm GMT on January 6, resulting in the withdrawal of $6.1 million worth of digital assets, including Tether (USDT), Ether (ETH), USD Coin (USDC), and CoinsPaid’s native token CPD.
The attacker reportedly swapped around 97 million CPD tokens, valued at approximately $368,000, for ETH and subsequently transferred the funds to externally owned accounts (EOAs) and various crypto exchanges, including MEXC, WhiteBit, and ChangeNOW.
🚨UPDATE🚨After more investigation, our system has detected more unauthorized transactions on #BNB too involving @coinspaid
Hacker has got another $1M worth of digital assets 924K BSC-USD and 268.5 $BNB.
All together total loss is $7.5MHacker’s address:… https://t.co/877vBm0Uah pic.twitter.com/xD6tg9QznK
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) January 6, 2024
Further analysis by Cyver revealed additional unauthorized transactions involving BNB (Binance Coin) worth over $1 million, bringing the total stolen amount close to $7.5 million. Cyver shared details about the transactions on social media, including the hacker’s address.
As of now, CoinsPaid has not released any official updates or announcements regarding the security breach.
CoinsPaid Faces Second Major Security Breach
The recent security incident follows a previous hack in July 2023, where hackers stole over $37.3 million. According to CoinsPaid, the recent breach involved an attacker tricking one of its employees through a fake job interview, leading to the download of malicious code that granted unauthorized access to CoinsPaid’s infrastructure.
In the July incident, the hackers used sophisticated social engineering techniques, posing as potential employers and targeting individual workers. The compromised employee downloaded malicious code, providing the hackers with access to CoinsPaid’s infrastructure. The attackers exploited a vulnerability in the platform’s cluster, opening a backdoor and gaining knowledge that allowed them to reproduce legitimate requests for interaction with the blockchain. This ultimately enabled the withdrawal of funds from CoinsPaid’s operational storage vault.
CoinsPaid suspected the involvement of the Lazarus Group, a group known for its sophisticated cyberattacks, in the July hack. The company partnered with blockchain security firm Match Systems to track the stolen funds, with a significant portion traced to SwftSwap. The tactics employed by the hackers in both the recent and July incidents mirrored those associated with the Lazarus Group, adding to the suspicion.
CoinsPaid filed a report with Estonian law enforcement three days after the hack to facilitate a thorough investigation. Blockchain security firms, including Chainalysis, Match Systems, and Crystal, assisted in CoinsPaid’s preliminary investigation over the initial days.
Lazarus Group’s Cryptocurrency Holdings Exceed $47 Million
CoinsPaid faces the formidable task of securing its platform and infrastructure following two significant security breaches within six months. The crypto industry, grappling with evolving threats, has seen persistent challenges in fortifying the security of payment gateways.
Notably, the notorious Lazarus Group, a North Korean hacking organization, has reportedly amassed holdings exceeding $47 million in cryptocurrency, primarily consisting of Bitcoin (BTC).
According to a report from institutional crypto platform provider 21.co in October 2023, wallets linked to the Lazarus Group were found to contain approximately 1,600 Bitcoin, 10,810 Ether (ETH), and 64,490 Binance Coin (BNB). The cumulative value of cryptocurrency in the hacker group’s wallets was estimated at a staggering $75 million at the time of the report.