CoinsPaid sees humans as the ‘weakest link’ when it comes to emerging hacking threats


CoinsPaid sees humans as the 'weakest link' when it comes to emerging hacking threats

On July 22, CoinsPaid fell victim to a “meticulously planned” hack — a cyberattack six months in the making with social engineering to blame, according to the crypto payment processor’s co-founder and CEO Max Krupyshev.

“It’s evident from the nature of this attack that the human element remains the weakest link in the system, as our wallets were not compromised,” Krupyshev said in a recent interview with The Block.

CoinsPaid reimbursed its gambling-focused clients for the $37.3 million in losses from its own reserves, impacting the firm’s profitability but helping to restore the platform’s operations within two days.

“CoinsPaid promptly reimbursed our clients for the losses incurred from our own reserves,” Krupyshev said. “This decision did impact the company’s profitability, but within two days following the hack, we successfully resumed normal operations and managed to restore liquidity.”

Behind the scenes, CoinsPaid’s programmers reconstructed the system on alternate servers and rewrote the infrastructure code within that time to minimize the damage, Krupyshev added. However, there were concerns from some customers regarding a perceived initial silence on the matter.

‘Keep calm’

“Please, keep calm. Everything is ok right now, we are working on all the requests,” CoinsPaid replied to one customer on X (formerly Twitter) at the time. “Our team is aware of the issue. We apologize for the inconvenience. Our technical team is working on a solution. Please wait for the official announcement on this topic. We do our best to resolve the issue as soon as possible,” it responded to another query.

Krupyshev said the company sent out a warning to all its clients on the day of the attack. That was followed up by an official statement four days later on July 26 and a further in-depth explanation of how the attack was carried out on Aug. 7.

In collaboration with cybersecurity firm Match Systems, CoinsPaid traced and took measures to try and freeze the funds and identify the services used to launder them, Krupyshev added.

Lazarus Group’s suspected involvement

Parallels between the CoinsPaid hack and patterns observed in previous Lazarus Group attacks have raised suspicions about the North Korean regime-linked cybercrime group’s involvement.

“As the investigation remains ongoing, we’re unable to share specific details about its progress,” Krupyshev said. “However, what we can share at this point is that our suspicion arose from the consistent withdrawal schemes observed in the targets of the Lazarus Group’s attacks, including the Atomic Wallet heist.”

Shortly after the attack, Casa CTO Jameson Lopp suggested that the CoinsPaid exploit may also be linked to the Alphapo hack that occurred at the same time, with on-chain sleuth ZachXBT telling The Block that the teams behind Alphapo and CoinsPaid were one and the same. Alphapo is another crypto payment processor, managing transactions for online gambling platforms such as HypeDrop, Bovada and Ignition. ZachXBT also said the Lazarus Group may be connected to the hack.

Krupyshev declined to comment regarding any connection to Alphapo and if the attacks on both platforms were linked.

Lessons learned from the hack

Social engineering exploits have been prevalent in the crypto space for some time. However, advancements in social networks and AI meant that CoinsPaid’s vulnerability to manipulative attacks on individuals rather than systems had increased and is something the entire crypto industry needs to adopt different approaches to combating, Krupyshev said.

“We’ve consistently organized comprehensive training sessions to educate our team members on these issues, and our security team has diligently worked to instill a sense of vigilance,” Krupyshev added. “However, the recent attack has reinforced the notion that there’s no ultimate limit to the pursuit of security measures.”

CoinsPaid is now taking steps to improve employee education on advanced social engineering, such as luring with fake job offers, bribery or seemingly innocuous tech inquiries to gain access to a company’s infrastructure, as happened in this case. It is also changing access rights for its operational processes to limit exposure risks, Krupyshev explained.

Collaborations with white hat hackers are also in the pipeline to ensure system robustness.

CoinsPaid’s call to action

Companies in the crypto space must remain vigilant against the advancement of social engineering and phishing threats, Krupyshev warned. Regular employee training sessions, robust monitoring systems and transparency with clients are paramount, he added, though such attacks are not to be “feared blindly.”

“With this in mind, we have a duty to come together and stand as a united front against hackers,” Krupyshev concluded. “Measures should be taken for companies to collaborate, pool their knowledge and develop better security practices to guard against hacker attacks in the future.”


Leave A Reply

Your email address will not be published.