On July 22, CoinsPaid fell victim to a "meticulously planned" hack — a cyberattack six months in the making with social engineering to blame, according to the crypto payment processor's co-founder and CEO Max Krupyshev.
"It's evident from the nature of this attack that the human element remains the weakest link in the system, as our wallets were not compromised," Krupyshev said in a recent interview with The Block.
CoinsPaid reimbursed its gambling-focused clients for the $37.3 million in losses from its own reserves, impacting the firm’s profitability but helping to restore the platform’s operations within two days.
"CoinsPaid promptly reimbursed our clients for the losses incurred from our own reserves," Krupyshev said. "This decision did impact the company's profitability, but within two days following the hack, we successfully resumed normal operations and managed to restore liquidity."
Behind the scenes, CoinsPaid's programmers reconstructed the system on alternate servers and rewrote the infrastructure code within that time to minimize the damage, Krupyshev added. However, there were concerns from some customers regarding a perceived initial silence on the matter.
"Please, keep calm. Everything is ok right now, we are working on all the requests," CoinsPaid replied to one customer on X (formerly Twitter) at the time. "Our team is aware of the issue. We apologize for the inconvenience. Our technical team is working on a solution. Please wait for the official announcement on this topic. We do our best to resolve the issue as soon as possible," it responded to another query.
Krupyshev said the company sent out a warning to all its clients on the day of the attack. That was followed up by an official statement four days later on July 26 and a further in-depth explanation of how the attack was carried out on Aug. 7.
In collaboration with cybersecurity firm Match Systems, CoinsPaid traced and took measures to try and freeze the funds and identify the services used to launder them, Krupyshev added.
Lazarus Group's suspected involvement
Parallels between the CoinsPaid hack and patterns observed in previous Lazarus Group attacks have raised suspicions about the North Korean regime-linked cybercrime group's involvement.
"As the investigation remains ongoing, we're unable to share specific details about its progress," Krupyshev said. "However, what we can share at this point is that our suspicion arose from the consistent withdrawal schemes observed in the targets of the Lazarus Group's attacks, including the Atomic Wallet heist."
Shortly after the attack, Casa CTO Jameson Lopp suggested that the CoinsPaid exploit may also be linked to the Alphapo hack that occurred at the same time, with on-chain sleuth ZachXBT telling The Block that the teams behind Alphapo and CoinsPaid were one and the same. Alphapo is another crypto payment processor, managing transactions for online gambling platforms such as HypeDrop, Bovada and Ignition. ZachXBT also said the Lazarus Group may be connected to the hack.
Krupyshev initially declined to comment regarding any connection to Alphapo and if the attacks on both platforms were linked. However, he later contacted The Block to add, "CoinsPaid is not connected to Alphapo in any way. CoinsPaid just was attacked at the same time via the same scheme."
Lessons learned from the hack
Social engineering exploits have been prevalent in the crypto space for some time. However, advancements in social networks and AI meant that CoinsPaid's vulnerability to manipulative attacks on individuals rather than systems had increased and is something the entire crypto industry needs to adopt different approaches to combating, Krupyshev said.
"We've consistently organized comprehensive training sessions to educate our team members on these issues, and our security team has diligently worked to instill a sense of vigilance," Krupyshev added. "However, the recent attack has reinforced the notion that there's no ultimate limit to the pursuit of security measures."
CoinsPaid is now taking steps to improve employee education on advanced social engineering, such as luring with fake job offers, bribery or seemingly innocuous tech inquiries to gain access to a company's infrastructure, as happened in this case. It is also changing access rights for its operational processes to limit exposure risks, Krupyshev explained.
Collaborations with white hat hackers are also in the pipeline to ensure system robustness.
CoinsPaid's call to action
Companies in the crypto space must remain vigilant against the advancement of social engineering and phishing threats, Krupyshev warned. Regular employee training sessions, robust monitoring systems and transparency with clients are paramount, he added, though such attacks are not to be "feared blindly."
"With this in mind, we have a duty to come together and stand as a united front against hackers," Krupyshev concluded. "Measures should be taken for companies to collaborate, pool their knowledge and develop better security practices to guard against hacker attacks in the future."
Updated with Krupyshev's comment on Alphapo.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.