The CoinsPaid phishing attack in 2023 was the most expensive cyberattack against an Estonian company, with hackers stealing over $37 million from CoinsPaid’s hot wallet.
CoinsPaid is an Estonian cryptocurrency payment solution providing services for online businesses and merchants to pay and accept payments in cryptocurrencies. They have released a detailed description about the attack available here.
CoinsPaid phishing attack was most likely carried out by the Lazarus group allegedly run by the government of North Korea. They spent over 6 months probing and collecting information through various attacks to penetrate Coinspaid’s systems.
CoinsPaid phishing attack initiation
The wave of attacks started in March 2023 when different types of attacks begun. They received a large amount of social engineering, DDoS and brute force attacks. In the end of March, the key engineers of CoinsPaid received requests from a supposed Ukrainian crypto payment gateway containing questions about CoinsPaid infrastructure. During the next months CoinsPaid received constant targeted phishing attacks against its employees.
Attackers were focused on receiving relevant information to help them carry out the attacks. Information about co-workers and inner processes can play a big part in the mission to seem believable and deceive other employees. Any information about the infrastructure is valuable to go through with the attack after gaining access through social engineering.
CoinsPaid phishing attack development
In June and July employees of CoinsPaid started getting offers by companies offering them positions with appealing salaries. But these employees were unaware that these were personalized fake hiring phishing attacks. Attackers claimed the aliases of other crypto companies such as crypto.com and used various channels to contact the employees to offer them attractive positions with high salaries.
The attackers used various channels, including LinkedIn and Messaging apps to deliver the job offers. Some team members were even offered over 24 000 USD in monthly salaries. According to LinkedIn the majority of CoinsPaid employees are in Eastern European countries such as Poland and Estonia, where the average salary is over ten times less. These kinds of offers that seem too good to be true were meant to make the employees more emotional and excited that caused them to lower their guard.
At least one of CoinsPaid employees participated in the fake job interview. The employee was given a test exercise which required them to install an application named JumpCloud Agent. JumpCloud is a directory platform used to authenticate, authorise, and manage users and devices, which was hacked by the Lazarus group in 2023 July. After opening the test exercise profiles and keys were stolen which allowed the group to establish a connection with the infrastructure of CoinsPaid. The attackers used information gained from the exploration stage and took advantage of an existing vulnerability to open a backdoor.
Withdrawing CoinsPaid phishing attack financial impact
The exploration stage also helped the attackers to reproduce requests for interaction interfaces with blockchain to move CoinsPaid funds from storage vault. These requests appeared valid and were thus sent to processing. The attackers moved over 100 million USD through a scheme of different crypto mixing services. Bitcoin was laundered through the Sindbad mixer, which is claimed to be the most popular mixer used by North Korean hackers. Through several dozens of criminal cases CoinsPaid managed to retrieve over 70 million USD which means that about 37 million USD remains lost.
Humans remain the weakest link
The attack consisted of several successful phishing attacks together with attempts to bribe CoinsPaid staff and distributed denial-of-service attacks aimed at CoinsPaid servers. In essence, social engineering was instrumental in the attack. Pavel Kashuba CFO of CoinsPaid emphasized the need for exchanges to pay attention to digital hygiene and adequate training for the staff for all kinds of cybercrime. CoinsPaid CEO Max Krupyshev stated that “Humans remain the weakest link”.
Phishing attacks keep getting better
Companies located in smaller countries like Estonia and other Baltic states were somewhat protected by the umbrella of local languages when it comes to phishing attacks. But large language models have already changed that. Since the launch of ChatGPT in 2022 vishing, smishing, and phishing attacks have increased by 1,265%. (https://www.helpnetsecurity.com/2024/02/29/mobile-fraud-losses/) LLMs and supporting services used by bad actors make it possible to automatically generate spear phishing attacks in local languages as well.
Although Coinspaid has not stated in which languages the attacks were carried out, it seems likely that some attacks may have been in native languages of the employees: Estonian, Polish, or Ukrainian.
CoinsPaid faced this year nexts phishing attacks
On January 6 a Web3 security firm Cyvers’ reported that Coinspaid was again hacked. They identified unauthorized transactions in the amount of 7.5 million USD. But this time the loss was estimated to be around 6.1 million USD.
Continuous phishing training matters
In our recent article where we put together a comprehensive guide for choosing the right phishing training we also highlighted that it is necessary to constantly test, and train employees as one-time tests prove to be not as effective as continuous phishing training. Given the example of Coinspaid it has become essential to carry out continuous phishing training.
