CoinsPaid Exploited For $37 Million By North Korea's Lazarus Group

CoinsPaid was the victim of an extensive and well-planned campaign of attacks by the Lazarus Group.

Security header image: Vault with Ruby logo

Crypto payment provider CoinsPaid was attacked in a well-organized and sustained phishing campaign, which culminated in a $37 million hack.

The attack was most likely carried out by the notorious Lazarus group, a hacker collective sponsored by the North Korean state, which uses the proceeds from cybercrime and other organized crime to supplement its limited tax revenues.

Lazarus Group has been responsible for some of the biggest hacks in the blockchain space, including the $100 million Harmony Bridge hack, and $600 million Ronin Bridge hack.

Relentless Phishing Attack

In the case of CoinsPaid, Lazarus Group spent six months researching the platform and carrying out a wide range of different activities and preliminary attacks to test its defenses. In March, the attack began in earnest, including a huge DDoS attempt. Employees were also sent fake job offers, a common tactic used to gain their confidence and trick them into downloading malicious software.

Unfortunately, one employee did install a compromised application, believing it to be a part of the recruitment process for a high-paying job at Crypto.com. This, in turn, enabled the hackers to exploit a vulnerability that allowed them to forge withdrawal requests from CoinsPaid's hot wallets. The crypto was then laundered through a series of protocols and exchanges.

Because Lazarus Group is based in North Korea, there is very little chance they will ever be brought to justice. As security researcher Taylor Monahan notes, this means they can act with impunity, and often do not even bother to cover their tracks carefully once a hack has been completed. Estimates suggest they may be responsible for around $3 billion in total thefts.

Social Engineering

What was notable about this attack was not merely its technical sophistication. It was the meticulous planning and groundwork laid by Lazarus Group, which gave them deep insights into CoinsPaid's platform and allowed them to gain the trust of its employees.

While crypto users are generally now well aware of the dangers of clicking unknown links and exploring unsolicited offers for high-paying jobs, the many months of work set this attack apart from more casual phishing attempts.

CoinsPaid is now investing in further employee training to help avoid further such attacks in the future, but it's an uphill struggle for an adversary who is willing to invest so much time and effort into compromising high-value targets.


Subscribe to our newsletter and follow us on Twitter.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to REX Wire.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.