Incident Name: CoinsPaid Social Engineering Attack
Date of Report: August 7th, 2023
Date of Incident: July 22nd, 2023
CoinsPaid, one of the world’s largest cryptocurrency payment providers, suffered a cyber attack on July 22, 2023, which resulted in the theft of $37.3 million. The company suspects that the North Korean APT Lazurus group, which is known to target crypto firms, is behind this attack. Although it is reported that customer funds were not impacted, CoinsPaid’s platform and revenue were affected, and the incident required CoinsPaid to shut down operations temporarily. At the time, the company launched an investigation to track and mark the stolen funds with the help of other crypto companies.
CoinsPaid released a detailed report on how the attack unfolded on August 7, 2023. The company found that the hacker group spent six months trying to gain access. This included aggressive phishing attempts on CoinsPaid team members, bribery and fake-hiring campaigns, and DDoS attempts. On July 22, the group was finally able to gain access. CoinsPaid stated that because it was not possible to hack the company’s systems externally without gaining access to an employee’s computer, the group leveraged its extensive reconnaissance to conduct highly sophisticated social engineering campaigns. During these campaigns, one CoinsPaid employee received a fake job offer from crypto.com and, during the interview process, received a test assignment that required the installation of an application that was malicious. Once this application was installed, profiles and keys were stolen from the employee’s computer and the attackers gained access to the infrastructure. Once inside, the group found a vulnerability and exploited this to open a backdoor. The attackers then used knowledge gained from their recon of CoinsPaid to withdraw funds.
Key Social Engineering/OSINT Themes:
- Recon – CoinsPaid employee and organizational information was harvested. The threat actor leveraged exposed employee information to conduct a social engineering attack.
- Fake Job Posting pretext – The threat actor targeted the employee with a fake cryptocurrency job advert.
- Phishing – Using the job offer pretext, the threat actor socially engineered the employee into taking part in an interview assessment where they were prompted to install malicious software, which led to the compromise of CoinsPaid.
Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.
High Risk Employees
- HASP Framework 1.1 — Identify high-value employee targets
- HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
- HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
- HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets
Exposed Employee PII
- HASP Framework 2.1 — Identify exposed employee PII
- HASP Framework 2.2 — Reduce exposed employee PII
- HASP Framework 3.7 — Restrict service account access
- HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
- HASP Framework 3.9 — Monitor for MFA configuration changes
- HASP Framework 3.10 — Monitor for new MFA registrations
Exposed Remote Services
- HASP Framework 4.2 — Identify exposed shadow IT
- HASP Framework 4.4 — Manage shadow IT / remote access
Indicators of Attack
- HASP Framework 7.1 — Monitor for suspicious external accounts
- HASP Framework 7.2 — Request takedowns for suspicious external accounts
- HASP Framework 7.3 — Alert your organization about suspicious external accounts
- HASP Framework 7.4 — Monitor for suspicious domains
- HASP Framework 7.5 — Block suspicious domains
- HASP Framework 8.1 — Train employees on social engineering attacks
- HASP Framework 8.2 — Provide employees social engineering phishing simulation training
- HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures
Related Hacks: Coinbase
Breach Notice/Company Notice:
- CoinsPaid is back to processing after being hit by a hacker attack. Client funds were not affected and are fully available
- The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD