CoinsPaid Breach: How Lazarus Group Extracted $37.3 Million From Crypto Processor

The cryptocurrency payments platform CoinsPaid has resumed full operations after a sophisticated breach attributed to North Korea’s Lazarus Group resulted in the theft of $37.3 million. The attack, which occurred on July 22, 2023, forced the platform to suspend services for four days while forensic investigators from Crystal, Chainalysis, and Match Systems worked to trace the stolen funds and assess the full scope of the damage.

The Exploit Mechanics

According to CoinsPaid’s press release published on July 26, the Lazarus Group executed a multi-stage social engineering campaign targeting employees within the cryptocurrency ecosystem. The attackers leveraged sophisticated phishing techniques to gain initial access to internal systems, eventually compromising key operational infrastructure. GitHub’s threat intelligence reports indicate that Lazarus has been running an ongoing social engineering scheme specifically focused on operators within the cybersecurity and cryptocurrency space, making CoinsPaid one of several high-profile victims in a coordinated campaign.

The attack vector involved a carefully crafted recruitment lure — a tactic Lazarus has refined over multiple campaigns. Once initial access was established, the group moved laterally through CoinsPaid’s network, identifying and extracting funds from hot wallet infrastructure. The speed and precision of the operation reflect years of refinement by the North Korean cyber collective, which has been linked to attacks spanning over 30 countries.

Affected Systems

CoinsPaid’s hot wallet systems bore the brunt of the attack. However, the company has stated that no client funds were lost in the breach — only the platform’s own treasury was affected. The $37.3 million loss represents a significant hit to the company’s balance sheet, but CoinsPaid CEO Max Krupshev has publicly committed to full recovery and continued operations.

The breach adds CoinsPaid to a growing list of Lazarus Group victims that includes some of the largest heists in cryptocurrency history. Previous targets include Axie Infinity’s Ronin Bridge ($625 million), Horizon Bridge ($100 million), Atomic Wallet ($100 million), Alphapo ($23 million), and the infamous Sony Pictures attack. The collective’s total haul from cryptocurrency-related attacks alone now exceeds $1 billion, according to blockchain analytics firms tracking North Korean wallet activity.

The Mitigation Strategy

In response to the breach, CoinsPaid has implemented enhanced security protocols, including upgraded wallet management procedures and additional authentication layers. The company filed a formal report with Estonian law enforcement and has been cooperating with international agencies to trace and potentially recover the stolen funds.

CoinsPaid has also announced plans to host a roundtable discussion with other victims of Lazarus Group attacks, inviting major exchanges including Binance, Bitfinex, Kraken, OKX, and Coinbase to participate. The initiative aims to develop novel approaches to preventing and mitigating state-sponsored cyberattacks against cryptocurrency infrastructure.

Lessons Learned

The CoinsPaid breach underscores several critical security realities. First, hot wallets remain the primary target for sophisticated threat actors. Second, social engineering attacks against cryptocurrency companies are becoming increasingly targeted and convincing — Lazarus operatives spend weeks or months building rapport before executing their payload. Third, the speed of fund movement after a breach makes real-time monitoring and rapid response essential.

For the broader industry, the attack highlights the need for collaborative defense mechanisms. Individual platforms, no matter how well-secured, remain vulnerable to nation-state-level threats. The proposed roundtable initiative could mark a meaningful shift toward collective security in the cryptocurrency sector.

User Action Required

CoinsPaid users should monitor their accounts for any unauthorized activity, though the company has confirmed that no client funds were compromised. All users of cryptocurrency platforms should enable two-factor authentication, verify the legitimacy of any communications purporting to be from their service providers, and consider moving significant holdings to cold storage solutions rather than keeping funds in exchange-controlled hot wallets.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals.