Estonia-based cryptocurrency payments firm CoinsPaid suspects North Korean hackers with the Lazarus Group gained access to its systems through fake recruiters targeting employees.
In an Aug. 7 blog post, CoinsPaid said an exploit which allowed hackers to steal more than $37 million on July 22 was the result of tricking one employee into downloading software during a fake job interview, having them believe they were completing a technical task. The firm reported that the worker responded to a job offer put out by hackers and downloaded the malicious code, allowing the bad actors to steal information and give them access to CoinsPaid’s infrastructure.
“Having gained access to the CoinsPaid infrastructure, the attackers took advantage of a vulnerability in the cluster and opened a backdoor,” said CoinsPaid. “The knowledge perpetrators gained at the exploration stage enabled them to reproduce legitimate requests for interaction interfaces with the blockchain and withdraw the company’s funds from our operational storage vault.”
We Know Exactly How Attackers Stole and Laundered $37M USD
— CoinsPaid (@coinspaid) August 7, 2023
In its July 26 post-mortem report of the hack, CoinsPaid said it suspected Lazarus Group. Prior to the $37-million exploit, the hackers had made several attempts to infiltrate the platform starting in March 2023, but switched their approach to “highly sophisticated and vigorous social engineering techniques” after multiple failures — targeting individual workers rather than the company itself.
CoinsPaid said it had partnered with blockchain security company Match Systems to track the stolen funds, the majority of which were transferred to SwftSwap. According to the firm, many aspects of the hackers’ transactions mirrored those of the Lazarus Group, as in the $35-million hack of Atomic Wallet in June. The company was continuing to monitor any movement of the funds as of Aug. 7.