CoinsPaid
Summary
CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.
Connected Entities
1 entities- + 3 more
Timeline(13 events)
2023-03-01
Lazarus Group begins reconnaissance campaign against CoinsPaid, including DDoS and brute-force probing and social engineering attempts posing as Ukrainian crypto startup representatives.
CoinsPaid official hack explanation / Match Systems investigation2023-06-01
Lazarus operatives begin impersonating cryptocurrency company recruiters on LinkedIn and messaging apps, offering CoinsPaid employees salaries of $16,000–$24,000/month.
CoinsPaid official hack explanation2023-07-07
Coordinated DDoS attack using over 150,000 IP addresses launched against CoinsPaid infrastructure, likely as cover or distraction for the infiltration campaign.
lazarus-bluenoroff-research GitHub (tayvano/ZachXBT)2023-07-22
CoinsPaid hot wallets drained of approximately $37.3 million via authorized withdrawal requests generated after a CoinsPaid employee installed malware disguised as a legitimate job-application technical task (leveraging a compromised JumpCloud Agent). Alphapo also hacked on the same date for approximately $60 million.
Bloomberg / FBI / CoinsPaid official disclosure2023-07-25
CoinsPaid files official incident report with Estonian law enforcement.
CoinsPaid official update2023-07-26
CoinsPaid publishes public report attributing the hack to Lazarus Group based on internal investigation in collaboration with Match Systems.
The Block2023-07-29
CoinsPaid resumes payment processing operations; states no customer funds were affected.
CryptoTimes2023-08-23
FBI issues warning that North Korean hackers — identified as responsible for the CoinsPaid, Alphapo, Atomic Wallet, and Stake.com hacks — are preparing to liquidate proceeds.
TechCrunch / FBI2023-09-01
CoinsPaid's Estonian CASP license (FVT000166) renewed after 15 months of regulatory scrutiny.
CoinsPaid / Fintelegram2023-11-29
U.S. Treasury OFAC sanctions Sinbad.io cryptocurrency mixer, citing its role in laundering proceeds from the CoinsPaid and other Lazarus Group hacks. FBI, Dutch, and Finnish police simultaneously seize the Sinbad website.
U.S. Treasury / CoinDesk2024-01-05
CoinsPaid suffers a second hack, losing approximately $7.5 million across USDT, ETH, USDC, BNB, and CPD tokens. Funds subsequently routed through MEXC, ChangeNow, and WhiteBit.
BeInCrypto / CryptoNews2024-01-06
ZachXBT publicly flags approximately $6.1 million in suspicious outflows from CoinsPaid hot wallets; blockchain security firm Cyvers independently confirms broader losses totaling $7.5 million and attributes root cause to inadequate wallet access controls.
CoinPaper2024-01-08
Match Systems publishes analysis asserting potential link between the CoinsPaid second breach, the Orbit Bridge hack ($81.5 million), and prior Lazarus Group operations based on shared on-chain patterns.
CoinTelegraphDecision Log
- hash: HTJY7WBU6ZWLdPLfjpPGXcu8cwW3vnwU4SJrzVXpghM7
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet
generated: 5/4/2026, 2:54:10 AM
last updated: 5/26/2026, 4:11:12 AM
avoid.net — verified advice for a post-truth world