In late July, a programmer at Estonia’s CoinsPaid, the world’s biggest crypto payment provider, met over video link with a recruiter who had reached out on LinkedIn with a lucrative job offer. During the 40-minute job interview, the engineer was asked to download a file to take a technical test, which he did on his work computer.
A few days later, on July 22, the CoinsPaid security team noticed a series of unusual withdrawals — money was quickly being drained from company accounts. By the time they were able to shut everything down and kick out the hackers four-and-a-half hours later, CoinsPaid had lost $37 million, and both the origin of the stolen crypto and the addresses of the digital wallets that received it had been carefully obscured.
“The attack itself was very quick. They are professionals,” Pavel Kashuba, co-founder and chief financial officer of CoinsPaid, said in an interview on Sunday.
The speed and methodology indicate that the operation may have been carried out by Lazarus, a hacking group connected to the North Korean government, according to CoinsPaid and investigators working for Match Systems. The North Korean consulate in Poland did not reply to a request for comment.
CoinsPaid, which says it processes around $1 billion worth of transactions per month, making it the world’s largest crypto payments provider, has provided Bloomberg News with a rare glimpse into how hackers have been able to steal hundreds of millions in tokens from blockchain companies around the world.
Lazarus Rises
The fake interview and subsequent hack were the culmination of an elaborate six-month operation in which hackers launched numerous denial-of-service and brute-force attacks, which probe networks for technical vulnerabilities that can then be exploited. In the run-up to the breach, hackers studied CoinsPaid closely, conducting phishing attacks and reaching out to multiple staff members with questions and job offers in order to gain access to internal systems, according to a company investigation.
To engage in corporate espionage at this scale, Kashuba said, “you need to have a huge amount of resources.”
It’s a playbook that the group has used before.
Over the past decade, Lazarus has been linked to ransomware attacks such as the 2017 WannaCry attack, which shut down 300,000 computers worldwide, including a third of the UK’s secondary care hospitals, and the 2014 hack of Sony Pictures Entertainment. In 2019, the US Treasury sanctioned the organization for hacking military, financial and critical infrastructures. Many experts believe that Lazarus was set up to funnel foreign currency into North Korea.
In recent years, the group has increasingly targeted the cryptocurrency sector to help finance Pyongyang’s weapons development programs. Global losses related to crypto theft rose to a record $3.8 billion in 2022, according to blockchain analysis firm Chainalysis Inc.
“Signature Approach”
While many companies rely on blockchain technologies to protect their systems, social engineering — that is, manipulating people — remains a major vulnerability. According to a post-mortem report published by the company, the CoinsPaid engineer was targeted by somebody claiming to be a recruiter for the currency exchange Crypto.com and offering a salary of up to $30,000 per month, several times the market rate. CoinsPaid is not sure whether the interviewer was a real person or an AI simulation.
As soon as the engineer downloaded the file, hackers were able to gain remote access to the CoinsPaid system, which enabled them to withdraw funds from active cryptocurrency wallets and almost immediately begin laundering crypto. To do this, they used the Sinbad mixer and various swap services, which blend and exchange different cryptocurrencies to make it more difficult to identify where a given token came from. In the end, CoinsPaid lost roughly 18 months’ worth of profits. The programmer is still employed at the company.
“We understand pretty well that this is Lazarus Group,” Kashuba said. “This is their signature approach.”
In June, hackers stole $100 million from another Estonia-based crypto service, using similar techniques to launder the stolen tokens. Both cases are being investigated by authorities, but customers of the service that was targeted in June have filed a lawsuit in the US against the company, claiming that it failed to address previously-flagged cybersecurity vulnerabilities.
While the Baltic country once sought to become a European crypto hub, that changed after US authorities sanctioned two of Estonia’s largest crypto players for having links to ransomware. Now, Estonian officials are reining in the technology. Regulators have slashed the number of licenses for crypto companies dramatically, and there are currently only 100 operating in Estonia.
From the Archive: How North Korea Built an Army of Hackers: QuickTake Q&A
(The fourth graph corrects the name of the security company, and adds additional information in the sixth graph)