Hackers from the Lazarus group spent half a year looking for CoinsPaid’s weak points

Estonian cryptocurrency payment service provider CoinsPaid has discovered that hackers from the notorious Lazarus group, which is funded by the North Korean government, spent six months investigating the platform before finally attacking it on July 22.

The Lazarus group prepared meticulously for the attack.

ConsPaid recently partnered with cybersecurity firm Match Systems to track the perpetrators’ moves almost minute-by-minute. A press release shared by CryptoPotato reported that hackers from Lazarus Group spent half a year trying to infiltrate CoinsPaid’s systems and find vulnerabilities.

The company admitted that from March to July it was the target of continuous, mostly unsuccessful attacks of various kinds. Hackers used social engineering, DDos attacks and BruteForce (a technique for cracking passwords or cryptographic keys).

At one point, the company’s engineers were even contacted by an entity posing as a Ukrainian startup dealing with cryptocurrency processing. It sent them a series of queries related to the platform’s infrastructure. It was an attempt to extort key information.

In April and May of this year, CoinsPaid noticed four significant attacks on its systems. They were aimed at gaining unauthorized access to accounts belonging to both the company’s employees and its customers. These “spam and phishing” activities were said to be “continuous and very aggressive.”

It doesn’t end there. In June and July, hackers tried to break into systems using… fictitious job offers. This is a well-known method, in which they try to upload a virus to the computer of the person they’re offering a job to. It’s most often an attempt to attack senior IT specialists in a given company.

The criminals finally carried out an attack on the CoinsPaid infrastructure and application on July 7. This took place between 20:48 and 21:42 and was associated with an unprecedented increase in network activity. Over 150,000 different IP addresses were involved.

It was not until July 22 that hackers managed to break into the company’s infrastructure, resulting in losses of $37.5 million.

How was the attack carried out?

Attackers used various social engineering techniques to gain access to an employee’s computer. The employee was supposed to respond to a job offer from someone posing as a Crypto.com recruiter. He was then given a test task that required him to install an application. This was in fact a virus. As a result, the employee’s passwords were stolen from his computer. This helped in the break-in.

Internal security measures triggered an alarm system and allowed us to quickly stop the malicious activity and kick the hackers off the company’s systems.

– CoinsPaid reported, further stating that it complied with KYC measures and used various risk assessment systems to detect suspicious activities. Despite this, the perpetrators managed to steal and launder the stolen funds.

According to 2022 data, Lazarus hackers have stolen over $1 billion worth of digital assets since 2017.