CoinsPaid phishing attack – 37M USD in damages

Table of Contents

North Korea leader using computer

The CoinsPaid phishing attack in 2023 was the most expensive cyberattack against an Estonian company, with hackers stealing over $37 million from CoinsPaid’s hot wallet.

CoinsPaid is an Estonian cryptocurrency payment solution providing services for online businesses and merchants to pay and accept payments in cryptocurrencies. They have released a detailed description about the attack available here.

CoinsPaid phishing attack was most likely carried out by the Lazarus group allegedly run by the government of North Korea. They spent over 6 months probing and collecting information through various attacks to penetrate Coinspaid’s systems. 

CoinsPaid phishing attack initiation

The wave of attacks started in March 2023 when different types of attacks begun. They received a large amount of social engineering, DDoS and brute force attacks. In the end of March, the key engineers of CoinsPaid received requests from a supposed Ukrainian crypto payment gateway containing questions about CoinsPaid infrastructure. During the next months CoinsPaid received constant targeted phishing attacks against its employees.

Attackers were focused on receiving relevant information to help them carry out the attacks. Information about co-workers and inner processes can play a big part in the mission to seem believable and deceive other employees. Any information about the infrastructure is valuable to go through with the attack after gaining access through social engineering. 

CoinsPaid phishing attack development

In June and July employees of CoinsPaid started getting offers by companies offering them positions with appealing salaries. But these employees were unaware that these were personalized fake hiring phishing attacks. Attackers claimed the aliases of other crypto companies such as and used various channels to contact the employees to offer them attractive positions with high salaries. 

The attackers used various channels, including LinkedIn and Messaging apps to deliver the job offers. Some team members were even offered over 24 000 USD in monthly salaries. According to LinkedIn the majority of CoinsPaid employees are in Eastern European countries such as Poland and Estonia, where the average salary is over ten times less. These kinds of offers that seem too good to be true were meant to make the employees more emotional and excited that caused them to lower their guard.

At least one of CoinsPaid employees participated in the fake job interview. The employee was given a test exercise which required them to install an application named JumpCloud Agent. JumpCloud is a directory platform used to authenticate, authorise, and manage users and devices, which was hacked by the Lazarus group in 2023 July. After opening the test exercise profiles and keys were stolen which allowed the group to establish a connection with the infrastructure of CoinsPaid. The attackers used information gained from the exploration stage and took advantage of an existing vulnerability to open a backdoor.

Withdrawing CoinsPaid phishing attack financial impact

The exploration stage also helped the attackers to reproduce requests for interaction interfaces with blockchain to move CoinsPaid funds from storage vault. These requests appeared valid and were thus sent to processing. The attackers moved over 100 million USD through a scheme of different crypto mixing services. Bitcoin was laundered through the Sindbad mixer, which is claimed to be the most popular mixer used by North Korean hackers. Through several dozens of criminal cases CoinsPaid managed to retrieve over 70 million USD which means that about 37 million USD remains lost. 

Humans remain the weakest link

The attack consisted of several successful phishing attacks together with attempts to bribe CoinsPaid staff and distributed denial-of-service attacks aimed at CoinsPaid servers. In essence, social engineering was instrumental in the attack. Pavel Kashuba CFO of CoinsPaid emphasized the need for exchanges to pay attention to digital hygiene and adequate training for the staff for all kinds of cybercrime.  CoinsPaid  CEO Max Krupyshev stated that “Humans remain the weakest link”.

Phishing attacks keep getting better

Companies located in smaller countries like Estonia and other Baltic states were somewhat protected by the umbrella of local languages when it comes to phishing attacks. But large language models have already changed that. Since the launch of ChatGPT in 2022 vishing, smishing, and phishing attacks have increased by 1,265%. ( LLMs and supporting services used by bad actors make it possible to automatically generate spear phishing attacks in local languages as well. 

Although Coinspaid has not stated in which languages the attacks were carried out, it seems likely that some attacks may have been in native languages of the employees: Estonian, Polish, or Ukrainian.

CoinsPaid faced this year nexts phishing attacks

On January 6 a Web3 security firm Cyvers’ reported that Coinspaid was again hacked. They identified unauthorized transactions in the amount of 7.5 million USD. But this time the loss was estimated to be around 6.1 million USD.

Continuous phishing training matters 

In our recent article where we put together a comprehensive guide for choosing the right phishing training we also highlighted that it is necessary to constantly test, and train employees as one-time tests prove to be not as effective as continuous phishing training. Given the example of Coinspaid it has become essential to carry out continuous phishing training.  

You’ll probably also like

Dive deeper into the topic by checking out our related posts.
Security training picture

Phishing training: Protecting yourself and your organization

Phishing training empowers people and organizations to spot and stop these cyber threats.  Here's a guide on what good phishing training involves.
North Korea leader using computer

CoinsPaid phishing attack – 37M USD in damages

The CoinsPaid phishing attack in 2023 was the most expensive cyberattack against an Estonian company, with hackers stealing over $37 million from CoinsPaid's hot wallet.
Phishbite co-founders at Latitude59

Welcome to the Phishbite Blog

We're thrilled to announce the launch of our new blog. Where will share valuable information about phishing and cybersecurity in general.

Sign up and get a 14-day free trial!

Create an account to access Phishbite services. You can cancel your subscription at any time. No credit card is required. 
A 14-day trial starts after activating the service.