Lazarus Group Strikes Twice in One Day: $97 Million Drained From CoinsPaid and Alphapo

The cryptocurrency ecosystem faced one of its most brutal single-day security breaches on June 22, 2023, as North Korea-linked Lazarus Group allegedly orchestrated two separate attacks that siphoned a combined $97 million from crypto payment processor CoinsPaid and cryptocurrency platform Alphapo. The dual assaults highlight the growing sophistication of state-sponsored cybercrime and its devastating impact on digital asset infrastructure.

The Exploit Mechanics

CoinsPaid, a major crypto payments provider processing significant volumes for merchants and exchanges, disclosed that attackers spent approximately six months conducting reconnaissance on their systems before executing the breach. The Lazarus Group employed a multi-stage social engineering campaign, targeting key employees through fake job recruitment channels on messaging platforms. Once an employee interacted with a malicious link disguised as a skills assessment, the attackers gained initial access to internal systems.

The breach at Alphapo, a cryptocurrency platform, resulted in an estimated $60 million in losses. According to the FBI investigation that followed, both attacks bore the hallmarks of Lazarus Group operations, specifically the subgroup tracked as TraderTraitor or APT38. The attackers moved approximately 1,580 Bitcoin across six identified wallet addresses, attempting to launder the stolen funds through various mixing services and eventually through the Russian-linked Garantex exchange.

The attack methodology demonstrates a shift from opportunistic smart contract exploits toward prolonged, targeted social engineering campaigns against crypto infrastructure companies. Lazarus operatives invested months building trust with employees before deploying their payloads, a tactic more commonly seen in nation-state espionage operations than traditional cybercrime.

Affected Systems

CoinsPaid was forced to temporarily suspend all operations following the breach, affecting numerous downstream merchants and partner platforms that relied on its payment processing infrastructure. The $37 million stolen from CoinsPaid comprised multiple cryptocurrency assets including Bitcoin, Ethereum, and various ERC-20 tokens.

The Alphapo platform experienced similar disruptions, with the $60 million loss representing one of the larger centralized platform breaches of 2023. Both incidents occurred against a backdrop of heightened regulatory scrutiny, with the SEC having recently filed lawsuits against Binance and Coinbase earlier in June, creating an atmosphere of uncertainty across the industry.

Bitcoin was trading around $29,900 at the time of the attacks, with Ethereum hovering near $1,870. The broader crypto market capitalization stood at approximately $1.17 trillion, and despite the negative security news, institutional momentum from BlackRock ETF filings and the launch of EDX Markets helped absorb the impact on prices.

The Mitigation Strategy

CoinsPaid engaged multiple blockchain analytics firms and security auditors to trace the stolen funds. The company worked closely with law enforcement agencies across several jurisdictions, and the FBI later identified six specific Bitcoin addresses linked to Lazarus Group operations, warning all crypto exchanges to block transactions originating from these wallets.

The FBI alert, issued in August 2023, specifically named the wallet addresses: 3LU8wRuZnXP4UM8Yo6kkTiGHM9BubgyiG, 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu, 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk, 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc, 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB, and 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUoL. The Bureau urged all private sector crypto entities to examine blockchain data associated with these addresses and remain vigilant against transactions derived from them.

Lessons Learned

The June 22 double attack underscores several critical security lessons for the crypto industry. First, social engineering remains the most effective attack vector, and platforms must invest heavily in employee security awareness training and strict access controls. Second, the six-month reconnaissance period demonstrates that Lazarus Group operates with patience and resources typical of nation-state actors, meaning crypto companies face threats far more sophisticated than typical cybercriminals.

Third, the rapid laundering of funds through mixing services and sanctioned exchanges highlights the need for real-time transaction monitoring and automated blocking of suspicious transfers. Companies that process large volumes of cryptocurrency must implement multi-layered security architectures that combine technical controls with human-centered defenses against social engineering.

User Action Required

If you held funds on CoinsPaid or Alphapo during this period, immediately check your account status and follow official communications from the platforms. Monitor your wallet addresses for any unauthorized transactions and report suspicious activity to both the platform and relevant law enforcement. Enable all available security features on your accounts, including two-factor authentication, withdrawal whitelist restrictions, and anti-phishing codes. Consider migrating remaining funds to hardware wallets where private keys remain offline and inaccessible to remote attackers.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions.