CoinsPaid said it is now working with Estonian law enforcement and several blockchain security firms are assisting to minimize the impact of the July 22 exploit.
Cryptocurrency payments platform CoinsPaid has pointed the finger at North Korean state-backed Lazarus Group as being behind the hacking of its internal systems, which allowed them to steal $37.3 million on July 22.
“We suspect Lazarus Group, one of the most powerful hacker organisations, is responsible,” CoinsPaid explained in a July 26 post.
While CoinsPaid didn’t explain how the money was stolen exactly, the incident forced the firm to halt operations for four days.
CoinsPaid confirmed that operations are back up and running in a new, limited environment.
The firm added that customer funds remain intact but considerable damage was done to the platform and the firm’s balance sheet.
Despite the huge exploit, CoinsPaid believes the cybercrime organization were chasing a much larger sum:
“We believe Lazarus expected the attack on CoinsPaid to be much more successful. In response to the attack, the company’s dedicated team of experts has worked tirelessly to fortify our systems and minimize the impact, leaving Lazarus with a record-low reward.”
CoinsPaid filed a report with Estonian law enforcement three days after the hack to further investigate the exploit. In addition, blockchain security firms such as Chainalysis, Match Systems and Crystal assisted in CoinsPaid’s preliminary investigation over the first few days.
The firm’s CEO, Max Krupyshev is confident that the Lazarus Group will be held accountable for their actions.
“We have no doubt the hackers won’t escape justice.”
Blockchain security firm SlowMist believes the CoinsPaid hack may be linked to two recent hacks in Atomic Wallet and Alphapo, which were exploited to the tune of $100 million and $60 million respectively.
Lazarus Group targeting crypto devs
Online coding platform GitHub believes — with “high confidence” — that Lazarus Group is conducting a social engineering scheme targeted at workers in the cryptocurrency and cybersecurity sectors.
According to a July 26 post by cybersecurity platform Socket.Dev, Lazarus Group’s objective is to lure in these professionals and compromise their GitHub accounts with malware-infected NPM packages to infiltrate their computers.
The cybersecurity platform said the first point of contact is often on a social media platform like WhatsApp, where the rapport is built before the victims are led to clone malware-laden GitHub repositories.
Socket.Dev urged software developers to review repository invitations closely before collaborating and to be cautious when abruptly approached on social media to install npm packages.