📈 Get daily crypto insights that make you smarter about your money

CoinStats Security Breach: How Lazarus Group Exploited Infrastructure Vulnerabilities to Steal $2.2 Million

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

The cryptocurrency portfolio tracking platform CoinStats disclosed a devastating security breach on July 12, 2024, revealing that a sophisticated attacker—attributed to the North Korean-linked Lazarus Group—stole approximately $2.2 million from 1,590 non-custodial CoinStats Wallets. The incident, initially detected on June 22, 2024, exposes critical weaknesses in how third-party infrastructure components can be weaponized against crypto users, even when private keys are supposedly isolated from platform control.

With Bitcoin trading at $59,231 and Ethereum at $3,177 at the time of disclosure, the attack highlights that as the crypto market grows in value, so does the sophistication and ambition of state-sponsored threat actors targeting the ecosystem.

The Exploit Mechanics

The attack vector was multifaceted, exploiting a chain of vulnerabilities across CoinStats’ infrastructure and its third-party service providers. The attackers first gained unauthorized access to parts of CoinStats’ infrastructure, specifically targeting HashiCorp Vault, the secrets management tool that stored CoinStats Wallet 2FA keys (PINs).

With the 2FA keys compromised, the attackers then exploited APIs connected to a third-party wallet-as-a-service provider. This combination allowed them to access the private keys of exactly 1,590 CoinStats Wallets—despite CoinStats maintaining security protocols designed to keep private keys outside the platform’s direct control.

The sophistication of the attack was remarkable. The Lazarus Group used a combination of unauthorized intrusions across multiple services, including systems outside CoinStats’ direct purview. This cross-service exploitation technique represents an evolution in how nation-state actors approach crypto theft, moving beyond simple phishing or single-point vulnerabilities.

Affected Systems

The breach affected only the non-custodial CoinStats Wallet feature—wallets created directly within the CoinStats platform. Importantly, the following remained unaffected:

– Connected external wallets (MetaMask, Phantom, etc.) used for portfolio tracking
– Exchange accounts linked to CoinStats (Binance, Coinbase, etc.)
– Read-only API connections

This segmentation proved crucial in limiting the blast radius. CoinStats only requests read-only access for portfolio tracking of external wallets, meaning the attacker could not leverage the platform to drain funds from connected accounts. However, for the 1,590 users who utilized the built-in CoinStats Wallet feature, the losses were total and immediate.

The Mitigation Strategy

CoinStats’ response was comprehensive and swift. Upon detecting the abnormal activity at approximately 18:00 UTC on June 22, the team immediately took down the entire platform to prevent further exploitation. By 23:00 UTC, they had identified and published the list of affected wallets.

The remediation involved a complete infrastructure rebuild from scratch. No parts of the old production environment were reused. The team migrated to entirely new AWS accounts, severing all connections to compromised third parties. External security experts, including ZachXBT and Tay (Head of Security at MetaMask), were engaged through Security Alliance (SEAL Org) to trace the stolen funds.

Law enforcement and the FBI were also brought in, providing additional forensic capabilities. The platform was fully restored by July 3, 2024, following comprehensive infrastructure audits by top-tier security firms.

Lessons Learned

Several critical lessons emerge from this incident. First, secrets management systems like HashiCorp Vault are only as secure as the infrastructure surrounding them. If an attacker can reach the Vault through lateral movement, the encrypted secrets within become accessible.

Second, third-party dependencies create invisible attack surfaces. Even when a platform maintains proper key isolation, the chain of trust extending to wallet-as-a-service providers introduces risks that may not be fully understood or monitored.

Third, the attribution to Lazarus Group confirms that nation-state actors continue to view cryptocurrency platforms as high-value targets. Their willingness to invest significant resources in multi-stage, cross-platform attacks means that crypto companies must adopt security postures comparable to traditional financial institutions.

User Action Required

If you used a CoinStats Wallet (not a connected external wallet), you should:

1. Verify whether your wallet was among the 1,590 affected addresses published by CoinStats
2. Report losses to local law enforcement and the FBI’s Internet Crime Complaint Center
3. Monitor blockchain explorers for movement of your stolen funds
4. Consider migrating to self-custody solutions where you control the private keys entirely
5. Enable hardware wallet authentication for any remaining crypto holdings

For users of any portfolio tracking platform, this incident serves as a stark reminder: whenever possible, use read-only connections rather than importing wallets via private keys. The convenience of integrated wallets comes with risks that may not be immediately apparent.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding cryptocurrency protection.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

9 thoughts on “CoinStats Security Breach: How Lazarus Group Exploited Infrastructure Vulnerabilities to Steal $2.2 Million”

  1. northkorea_aint_playin

    lazarus targeting hashicorp vault is next level. they went after the secrets management layer not individual wallets

    Reply
    1. vault_rat

      hashicorp vault is supposed to be the gold standard for secrets management. if lazarus can crack that, what hope do smaller defi teams have

      Reply
  2. Tomasz Kowal

    1590 wallets drained and the attack started june 22 but disclosure was july 12. three weeks of silence is rough

    Reply
    1. null_pointer

      non custodial is supposed to mean they dont have your keys. clearly the 2fa pin storage in vault broke that promise

      Reply
      1. keyslayer_

        non custodial means you hold the keys. coinstats holding 2fa pins in a third party vault defeats the entire purpose. buzzword compliance at its finest

        Reply
        1. 0xSentinel

          keyslayer_ storing 2FA pins outside the user device is basically custodial with extra steps. the branding was the problem

          Reply
    2. Min-jun K.

      Tomasz Kowal three weeks of silence while wallets drained. at some point transparency has to matter more than investigation time

      Reply
  3. Mira Johansson

    lazarus stole 2.2m here. now imagine what they pull from actual exchanges. the numbers must be staggering

    Reply
  4. Yuki Tanaka

    20 days between detection and disclosure is rough. how many wallets got drained in that gap while they investigated

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$63,928.00-1.1%ETH$1,742.88-1.2%SOL$70.99-1.3%BNB$588.98-2.2%XRP$1.16-2.0%ADA$0.1658-1.5%DOGE$0.0846-1.1%DOT$0.9775-2.6%AVAX$6.63-2.4%LINK$8.01-1.6%UNI$3.15-4.8%ATOM$1.83-7.1%LTC$44.09-1.9%ARB$0.0845-1.6%NEAR$2.21-2.6%FIL$0.7918-1.6%SUI$0.7483-4.7%BTC$63,928.00-1.1%ETH$1,742.88-1.2%SOL$70.99-1.3%BNB$588.98-2.2%XRP$1.16-2.0%ADA$0.1658-1.5%DOGE$0.0846-1.1%DOT$0.9775-2.6%AVAX$6.63-2.4%LINK$8.01-1.6%UNI$3.15-4.8%ATOM$1.83-7.1%LTC$44.09-1.9%ARB$0.0845-1.6%NEAR$2.21-2.6%FIL$0.7918-1.6%SUI$0.7483-4.7%
Scroll to Top