An Estonian based crypto facility by the name CoinsPaid has experienced a cyber-breach resulting to the loss of Crypto exchange resources, such as BNB and Ethereum (ETH). The cyber incident which was reported via X-app(former twitter) by the handle @CyversAlert indicates that the financial loss, is estimated to be in tune of $7.5 million.
Breaking down the stolen assets as reported last week friday (January 5th, 2024), it was noted that over $1-million constitute of digital assets, 924,000 BSC-USD, and 268.5 $BNB, all together raking up to $7.5 Million dollars.
Although, at the time of this report, the threat group responsible for the breach is uncertain. However, there are rumors that the Lazarus group are major suspects for such incident. The Lazarus group have been known to be a North Korea state sponsored group of hackers, and a major threat wrecking the cyber-world.
Sometime in August last year, the FBI reported of the group being responsible for hacking and transferring crypto assets worth over USD$40-million, within a space of 60-mins.
In addition, the group was also responsible for the hack in February 2023(Last Year), on the Ronin Network, resulting to the Norwegian goverment confiscating crypto assets worth over 60-million Kroner (USD5.8 million in current exchange).
On the incident; In an exclusive to Crypto news, the CEO of CyVers Deddy Lavid stated that:
“On January 5, 2024 at exactly 6:13:23 PM UTC, the CoinsPaid exchange suffered a significant security breach, resulting in a total loss of USD$7.5 million in digital assets on the BNB and ETH chains. Assets stolen included USDT, USDC, CPD on the ETH chain and BNB and BSC-USD on the BNB chain.”
Furthermore, these stolen digital assets were successfully distributed across various EOA’s (Externally Owned Accounts) both on ETH and BNB networks. Other external exchange networks that these stolen assets were transferred to by the hackers include: WhiteBit, MEXC, and ChangeNow.
Adding to the public information disclosed, CyVers also reported, that the breach was as a result of a lax in security controls implemented by the organization, resulting to a less secured access to the wallets on the network.
Although the CoinsPaid, was previously alerted on these security issues sometime in July, 2023; during the said time, CoinsPaid system and Alphapo were impacted by a USD$100-million loss of assets, says CyVers.
Also, It is no doubt that the group has been notorious and will keep being notorious as trails of reports, indicates they have carved a niche for themselves “Attacking the Web3.0 Space and Assets.” Alphapo, who have been victims of the Lazarus threat Group, had loss of assets estimated to be worth over USD$23-million in Bitcoin (BTC), Ethereum (ETH), and Tron (TRX), in the past.
The Lazarus group and damage on the Cyberspace:
North Korea Lazarus Group, is known to have caused lots of Damage on the cyber space, over the past 6-years. Information on the internet shows that over USD$3-Billion in crypto assets have been stolen by these group, and just last year alone (2023), the estimated amount of stolen assets is said to worth over $USD600-million.
Social Engineering and the need for organizations to sensitize its employees:
The rise of social engineering victims, is an indication, that organization focus more on building robust systems, and securing them efficiently, with little or no effort placed on training and sensitizing the weakest link (Humans).
According to CoinsPaid Blog summary; on the findings after internal investigations, and forensics, it was revealed that a foothold on the organization network/assets was gained via social engineering.
The threat group published a Fake recruiting Job via LinkedIn which sets its value to a high paying salary within a range of USD$16,000-24,000. Specifically targeting CoinsPaid employees.
On the next stage of these attacks, the threat actor tricks the potential candidate into installing JumpCloud Agent or any other special program which enables them to navigate the organization’s structure. The group also perfected its plan, after taking numerous months to learn about the CoinsPaid organization structure, its employees; enabling them to perfect their social engineering messages to their victim (In this case CoinsPaid).
Sample of A Social Engineering Job Ads Email:
Sometime last year, an employee of Fixitgearware Security also receive an email, however a strong security policy implemented flags this email as spams. Further reviewing the tricks, we could obviously see lots of red flags which is not difficult. Analyzing the entire email:
- Email messages, was written in bold fonts a subtle tone of command, part of the trick used in social engineering.
- The email doesn’t specifically state what Job position the employee applied for (although there was no job applied for by our employee), but you could notice that it was like casting a wide net from the series of Job positions indicated in the mail said to be applied for.
- A Link was supplied and looking at the link something captured our attention in the encryption the word “FEAR” and “W0” we can tell that the threat actor used this words a form of reverse psychology should incase the target user is suspicious of the Link, or suspecting it’s a worm. I mean who would want to hack you and use the word “Fear” right ?
- Official email was used to send the email to our employee, however the help desk email to contact is of Gmail, why this can also be legit, but peep the name of the email: hiringdeskclerk, however we are asked to contact hiring manager. So which is it ? “Manager or clerk”
While it is obvious and we could notice the entirety and fraud of this email, certainly many would have fallen victim to this. It is also important that fraudulent software’s can be attached to links shared, and do not download these software’s as they might be packed with malware, or might be a link to a version of the legitimate software that has a vulnerability culpable to exploitation, or which the threat actor might have full knowledge on the how to’s in exploiting the specific version.
Fixitgearware Security Advice on Implementing Security Measures:
Studying the TTP’s (Techniques, Tactics, and Procedures), fixitgearware Security, suggests a series of security measures to be implemented, by not just targeted organizations, but others yet to be a victim.
- Organizations most times implement little, to no BYOD policies. It is important that organization implement this policy, as threat actors, can gain access to an organization internal network via a compromised employees devices, if the said device is on the same network (WIFI-Connectivity) as the organization.
- The BYOD should also comprise of, which of the organization’s enterprise application, can be accessed from the users (organization’s employee) device. As threat actors can access these applications (e.g. Emails, Calendars, etc.), after installing their malicious software, to gain more insight on other parties (employees of the organization), to contact, in most cases may lead to a whale phishing technique.
- The BYOD should also include automatic scanning of devices for any indication of threats from software’s, and blocking malicious applications from the organizations network.
- Organizations should put more resources also in sensitizing its employees, and not just in building robust and secure system. What use is a secure system, when the humans behind its operation are not secured ? They can be an entry point, for these threat actors to gain access, and possibly create legitimate administrative accounts, to now perform more sinister actions.
These are a few of the numerous policies out there. We hope the security of the crypto space would be taken seriously, and organizations would invest alot of resources in beefing up its security without breaking the bank.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.