Hackers used fake job interview to trigger $37M CoinsPaid hack
A July hack that siphoned nearly $40 million from CoinsPaid, one of the world’s biggest crypto payment providers, was reportedly triggered by a fake 40-minute job interview.
Hackers thought to be working with infamous North Korean cybercrime collective Lazarus apparently spent months probing the Estonia-based firm’s systems and security before launching the attack.
As reported by Bloomberg, the hackers posed as a recruiter and reached out to a CoinsPaid employee with a tempting job offer, supposedly on behalf of Singapore-based exchange Crypto.com. During the interview, the employee, instructed by the fake recruiter, downloaded a malicious file onto his work computer, believing he was about to take a technical test.
Instead, money started to disappear from the CoinsPaid platform and despite the firm shutting down the hackers within a few hours, $37 million had already been leeched from its crypto wallets.
Read more: US Treasury sanctions OTC traders for aiding Lazarus hackers
In a press release issued just a few days after the attack, CoinsPaid said that it suspected Lazarus Group of being responsible.
CoinsPaid co-founder and chief financial officer, Pavel Kashuba, told Bloomberg, “The attack itself was very quick. They are professionals.” Kashuba also claimed that July’s hack was typical of the group’s “signature approach.”
As detailed in a CoinsPaid statement, the operation that led to the eventual attack took shape over six months with Lazarus “learning all possible details about CoinsPaid, our team members, our company’s structure, and so on.”
The statement also pointed out that, while the hackers did gain access to CoinsPaid’s infrastructure, they were unable to access customer funds directly.
“The hackers gained access that allowed them to create authorized requests to withdraw funds from CoinsPaid hot wallets,” it read.
“Perceiving such requests as valid, they were sent to the blockchain for further processing. However, the perpetrators were not able to breach our hot wallets and acquire private keys to access funds directly.”
Once the funds had been drained, the attackers reportedly used Sinbad mixer and various swap services to obfuscate the trail of stolen crypto and the receiving digital wallets. Kashuba told Bloomberg, “You need to have a huge amount of resources to engage in such large-scale corporate espionage.”
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.
Edit 14:15 UTC, Aug 8: Updated article to explain that while hackers were able to access CoinsPaid’s infrastructure, they were unable to access funds directly.