Cryptocurrency payment gateway CoinsPaid has encountered its second security breach within a span of six months. Cyvers, a Web3 security firm, reported the detection of unauthorised transactions.

Specifically, on 6 January 2024, Cyvers' artificial intelligence system identified multiple irregular transactions, resulting in the withdrawal of USD 6.1 million in digital assets, including Tether, Ether, USD Coin, and CoinsPaid's native token CPD. The attacker exchanged approximately 97 million CPD tokens for ETH, valued at around USD 368,000, and subsequently transferred the funds to externally owned accounts (EOAs) and cryptocurrency exchanges MEXC, WhiteBit, and ChangeNOW. CoinGecko's data reveals a 39.5% decline in CPD's value to USD 0.0006 at the time of writing.

Further investigation by Cyvers uncovered unauthorised transactions involving BNB, amounting to over USD 1 million, bringing the total stolen to close to USD 7.5 million. CoinsPaid, an Estonian payment processor for digital assets, asserts to have facilitated transactions exceeding EUR 19 billion in the crypto space according to cointelegraph.com. While CoinsPaid has not issued an official statement regarding the recent attack, WhiteBit revealed via X that they are aware of attempts to deposit funds stolen in the CoinsPaid incident to WhiteBIT. Considering recent developments and in order to comply with AML standards, WhiteBIT has frozen the funds in question and is conducting procedures relevant to the case.

CoinsPaid's previous run-ins with hackers This incident follows a security breach in July 2023, where over USD 37 million were stolen from CoinsPaid. The company attributed the breach to the North Korean state-backed Lazarus Group, alleging that the group, after multiple unsuccessful attempts to infiltrate the platform since March 2023, resorted to sophisticated social engineering techniques. In the previous attack, hackers employed a fake job interview to deceive an employee, who unwittingly downloaded malicious code, granting unauthorised access to CoinsPaid's infrastructure.

The Lazarus Group has been linked to several cryptocurrency hacks in 2023, with TRM Labs reporting their involvement in stealing at least USD 600 million in crypto during that year. TRM Labs disclosed that entities associated with the Democratic People’s Republic of Korea (DPRK) were accountable for approximately 33% of the total cryptocurrency stolen through cyber hacks in the year 2023. As outlined in a recent report, since 2017, DPRK-affiliated hackers have stolen an estimated USD 3 billion in cryptocurrency, indicating a notable escalation in digital asset-related attacks over the past year.

TRM Labs further noted that the tactics employed by DPRK for money laundering displayed a constant evolution, adapting to evade pressures from international law enforcement. The research indicated a recurrent pattern where hackers compromised users’ private keys or seed phrases, subsequently transferring the stolen funds to wallets controlled by DPRK and then exchanging the assets for Tether or Tron. .