CoinsPaid Loses .5 Million in Second Major Hack Within Six Months

On January 6, 2024, the Estonian crypto payment processor CoinsPaid confirmed a cybersecurity incident that resulted in the theft of approximately $7.5 million in digital assets. The attack marks the second major breach for the company in less than six months, following a $37.3 million social engineering attack in July 2023 that security researchers attributed to the North Korean Lazarus Group. As Bitcoin trades near $43,989 and Ethereum hovers around $2,241, the incident underscores that even established payment infrastructure remains vulnerable to determined adversaries.

The Exploit Mechanics

According to available reports, the attacker gained unauthorized access to CoinsPaid systems and executed multiple fraudulent transactions. The threat actor exchanged approximately 97 million CPD tokens for ETH, extracting roughly $368,000 worth of Ethereum before transferring the proceeds to externally owned wallets. The remaining losses spanned multiple cryptocurrencies, bringing the total damage to an estimated $7.5 million.

The method of intrusion shares patterns with the earlier July 2023 attack, where Lazarus Group operatives spent months cultivating a fake company persona and luring a CoinsPaid employee through a simulated job interview process. That social engineering campaign ultimately tricked the employee into downloading malicious software under the guise of a technical test, granting attackers access to internal systems. Whether the January 6 incident employed similar social engineering tactics or exploited a separate technical vulnerability remains under investigation.

Affected Systems

CoinsPaid operates as one of the prominent crypto payment processors in Europe, handling transactions for merchants and users across multiple jurisdictions. The breach affected the platform withdrawal infrastructure, allowing the attacker to move funds out of custodial wallets. CPD tokens, the platform native utility token, were specifically targeted in the token swap component of the attack.

The incident occurred during a particularly destructive period for DeFi and crypto payment platforms. According to a report by Immunefi, January 2024 saw approximately $126.8 million in losses across 19 separate incidents, a sixfold increase compared to January 2023. Exploits and hacks accounted for 96.8% of total losses, or $122.8 million across 14 cases. Other notable January incidents included the Orbit Bridge cross-chain attack ($81.5 million), GMEE ($15 million), Gamma Strategies ($6.2 million), and Radiant Capital ($4.5 million).

The Mitigation Strategy

Following the attack, CoinsPaid initiated coordination with law enforcement and blockchain analytics firms to trace the stolen funds. The company also engaged security teams to audit its infrastructure and identify the entry point used by the attacker. For payment processors handling custodial funds, the incident highlights several critical mitigations that should be standard practice.

Multi-signature wallet architecture can prevent single-point-of-failure withdrawals by requiring multiple approvals for large transactions. Time-locked withdrawals add a delay window during which suspicious transactions can be flagged and halted. Hardware security modules, or HSMs, provide physical isolation for private keys, making remote exfiltration significantly harder. Regular penetration testing and red team exercises help identify social engineering vulnerabilities before attackers exploit them.

Lessons Learned

The CoinsPaid breach reinforces several uncomfortable truths about crypto security in early 2024. First, repeat attacks on the same target are common. Organizations that suffer one breach often have structural weaknesses that attract subsequent attempts. Second, payment processors occupy a uniquely dangerous position in the ecosystem because they hold custodial funds across multiple chains, creating a broad attack surface. Third, the human element remains the weakest link. Whether through social engineering or insider threats, attackers increasingly target people rather than code.

The broader January 2024 loss statistics paint a sobering picture. Immunefi noted that 100% of incidents in January occurred in the DeFi sector, with Ethereum and BNB Chain accounting for 58% of cases. The concentration of attacks on DeFi suggests that decentralized protocols and their adjacent infrastructure still lack the security maturity of centralized exchanges, which have improved defenses following years of high-profile breaches.

User Action Required

For users of CoinsPaid or any crypto payment platform, several immediate actions reduce risk. Distribute holdings across multiple platforms rather than concentrating funds in a single custodial service. Withdraw funds to a hardware wallet when active trading is unnecessary. Enable withdrawal whitelist features that restrict transfers to pre-approved addresses. Monitor platform communications for breach notifications and act quickly if irregular activity appears on your account. Finally, maintain healthy skepticism toward unsolicited job offers, partnership proposals, or technical tests, as these are the primary vectors for social engineering attacks in the crypto industry.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before using any crypto platform.