CoinsPaid, a cryptocurrency payments company headquartered in Estonia, has raised suspicions that the Lazarus Group, a group of hackers from North Korea, managed to breach its systems by utilizing deceptive recruiters who targeted company employees.
According to an official blog post, CoinsPaid disclosed that the breach, which resulted in the theft of over $37 million on July 22, was orchestrated through a ruse wherein an employee was lured into downloading software under the pretense of a mock job interview, under the false guise of a technical assignment.
The company revealed that this employee fell victim to a job offer propagated by the hackers, subsequently downloading the malicious code that ultimately facilitated the malevolent actors in pilfering sensitive data and acquiring unauthorized entry into the infrastructure of the crypto company.
Funding North Korea’s Illicit Nuclear Program
Cryptocurrency thefts are suspected to provide financial backing for North Korea’s unorthodox nuclear weapons initiative, based on the analysis of specialists in the field. The Lazarus Group, recognized for its involvement in cyberattacks, frequently employs analogous hacking methodologies to target exchanges, blockchains, and mixers, even utilizing identical crypto wallet addresses.
We Know Exactly How Attackers Stole and Laundered $37M USD
CoinsPaid invited a partnership with @MatchSystems, in cooperation with law enforcement agencies and regulators, accompanies the process of returning stolen #crypto assets.
Read more: https://t.co/jLF3ICo603 pic.twitter.com/0gDy9CJcS7
— CoinsPaid (@coinspaid) August 7, 2023
This pattern of operation has led CoinsPaid to draw the inference that the infamous hacking collective, affiliated with the North Korean government, can be held accountable for the aforementioned hack.
CoinsPaid said:
“Having gained access to the CoinsPaid infrastructure, the attackers took advantage of a vulnerability in the cluster and opened a backdoor.”
The knowledge perpetrators obtained at the exploration stage enabled them to “reproduce legitimate requests for interaction interfaces” with the blockchain and “withdraw the company’s funds from our operational storage vault,” CoinsPaid added.
Bitcoin slightly above the key $29k level today. Chart: TradingView.com
Lazarus Group’s Six-Month Pursuit Of CoinsPaid
Over a span of six months, the Lazarus Group engaged in an intricate process of meticulously observing and researching CoinsPaid’s complex systems.
Their efforts encompassed a spectrum of attack methodologies, ranging from manipulative social engineering tactics to technically driven approaches such as Distributed Denial-of-Service assaults and relentless brute-force attempts — repeatedly submitting numerous passwords in the hopes of eventually stumbling upon the correct one.
The saga began in March, as the hackers initiated their assault on the firm. The company recounted the unceasing and remarkably aggressive barrage of spam and phishing campaigns directed at its team members during this period.
In response, CoinsPaid took the step of collaborating with Match Systems, a blockchain security firm, to trace the route of the stolen funds. The majority of these ill-gotten gains found their way to SwftSwap.
According to CoinsPaid, a multitude of facets within the hackers’ transactions bore striking resemblances to the modus operandi of Lazarus, akin to the $35 million breach of Atomic Wallet in the preceding month of June. The company affirmed its commitment to vigilantly monitor any movement associated with these pilfered funds.
Featured image from Kyodo/AP Photo