Verify a decision

{"actor":"system:backfill","investigation_id":"c151c3eb-9925-47a0-a4be-c6cd45bd8886","kind":"publish","page_slug":"coinspaid","published_at":"2026-05-19T16:20:51.714Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"CoinsPaid","sections":[{"content":"CoinsPaid operates as a cryptocurrency payment gateway and processing ecosystem offering multi-currency business wallets, OTC and exchange desks, and SaaS payment infrastructure for merchants. It is incorporated and licensed in Estonia, holding an Estonian Crypto Asset Service Provider (CASP) license (FVT000166) issued by the Financial Intelligence Unit (FIU). The company relocated its primary operations to Tallinn from Ukraine in 2019. CEO and co-founder Max Krupyshev is Ukrainian-born and has been involved in the crypto industry since 2013. CoinsPaid claims to process approximately €1 billion in monthly transaction volume and supports over 50 cryptocurrencies. The company markets itself as fully AML/KYC/KYB compliant under EU frameworks.","heading":"Company Overview","severity":"low","sources":[{"credibility":2,"name":"World's biggest cryptocurrency payment company is run from Tallinn","type":"news_article","url":"https://estonianworld.com/technology/worlds-biggest-cryptocurrency-payment-company-is-run-from-tallinn/"},{"credibility":2,"name":"CoinsPaid: Crypto Payment Processor Investor Briefing","type":"research","url":"https://fintelegram.com/coinspaid-crypto-payment-processor-investor-briefing/"}]},{"content":"On July 22, 2023, CoinsPaid suffered a $37.3 million theft attributed to the North Korean state-sponsored Lazarus Group (also identified as APT38). According to CoinsPaid's own post-incident report and a subsequent investigation conducted with cybersecurity firm Match Systems, the attack followed approximately six months of reconnaissance and failed infiltration attempts dating to March 2023. Initial probes included DDoS attacks, brute-force attempts, and a social engineering approach in which an individual posing as a representative of a Ukrainian crypto startup contacted CoinsPaid engineers to inquire about technical infrastructure. Between June and July 2023, Lazarus operatives impersonated recruiters on LinkedIn and messaging applications, offering salaries of $16,000–$24,000 per month to CoinsPaid employees. In at least one confirmed case, a CoinsPaid employee was presented with a technical task that required downloading a malicious application — in this instance disguised as or embedding the JumpCloud Agent software, a directory management platform that was separately compromised by Lazarus in July 2023. Once executed, the malware exfiltrated credentials and provided the attackers with remote access to CoinsPaid's internal infrastructure. On July 22, the attackers used this access to generate authorized withdrawal requests from CoinsPaid hot wallets, draining approximately $37.3 million in crypto assets within minutes. A coordinated DDoS wave involving more than 150,000 IP addresses was observed concurrent with the theft. CoinsPaid stated that no customer funds were lost; only company-owned reserves were affected. Operations were suspended for approximately four days and then progressively restored, reaching 80% of pre-hack volume within roughly one week. On July 25, 2023, CoinsPaid filed an official report with Estonian law enforcement.","heading":"July 2023 Hack — $37.3 Million Lazarus Group Attribution","severity":"critical","sources":[{"credibility":2,"name":"How North Korea's Lazarus Group used a fake job offer to steal $37m from CoinsPaid — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/how-north-korea-lazarus-group-stole-crypto-from-coinspaid/"},{"credibility":1,"name":"Suspected North Korean Lazarus Crypto Hack Came From Fake Job Offer — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2023-08-07/fake-job-offer-opened-door-to-suspected-north-korean-crypto-hack"},{"credibility":2,"name":"Crypto payment gateway CoinsPaid suspects Lazarus Group in $37M hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/coinpaid-crypto-payments-suspect-lazarus-group-behind-hack"},{"credibility":2,"name":"Lazarus Group suspected by CoinsPaid of $37 million hack — The Block","type":"news_article","url":"https://www.theblock.co/post/241607/lazarus-group-suspected-by-coinspaid-of-37-million-hack"},{"credibility":2,"name":"Lessons of a $37M Attack: How a Ukrainian Payment Processor Was Hacked — CoinDesk","type":"news_article","url":"https://www.coindesk.com/consensus-magazine/2023/08/08/lessons-of-a-37m-attack-how-a-ukrainian-payment-processor-was-hacked"},{"credibility":2,"name":"CoinsPaid hack explained (official company post)","type":"official","url":"https://coinspaid.com/company-updates/the-coinspaid-hack-explained/"}]},{"content":"The FBI confirmed attribution of both the CoinsPaid and Alphapo ($60 million, same date) hacks to Lazarus Group / APT38, North Korean state-sponsored cyber actors. An FBI press release identified DPRK cyber actors as responsible for stealing approximately $60 million from Alphapo and CoinsPaid on or about July 22, 2023. The FBI warned in August 2023 that North Korean hackers were preparing to liquidate the proceeds of multiple high-profile 2023 crypto hacks. Additionally, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned cryptocurrency mixer Sinbad.io in November 2023 in part because it was used to launder proceeds from the CoinsPaid and related Lazarus Group heists. Sinbad had been identified by Elliptic as the preferred mixer used by North Korean hackers to obscure stolen crypto flows.","heading":"FBI and Regulatory Attribution","severity":"critical","sources":[{"credibility":1,"name":"FBI Identifies Cryptocurrency Funds Stolen by DPRK","type":"regulatory","url":"https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk"},{"credibility":1,"name":"FBI says North Korean hackers preparing to cash out after high-profile crypto hacks — TechCrunch","type":"news_article","url":"https://techcrunch.com/2023/08/23/fbi-north-korea-lazarus-crypto/"},{"credibility":1,"name":"Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy1933"},{"credibility":2,"name":"How the Lazarus Group is stepping up crypto hacks and changing its tactics — Elliptic","type":"research","url":"https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics"}]},{"content":"According to the joint investigation by CoinsPaid and Match Systems, the majority of the $37.3 million in stolen funds were laundered through a multi-hop chain that involved several no-KYC swap services and a sanctioned cryptocurrency mixer. The funds were primarily moved in the form of USDT on the Avalanche-C blockchain, with most assets routed through the SwftSwap exchange service. Additional swap services used included SunSwap and SimpleSwap. After passing through these swap services, a portion of the funds was bridged to Ethereum via the Avalanche Bridge and subsequently moved on to Bitcoin. The Sinbad.io cryptocurrency mixer — later sanctioned by OFAC — was used at various stages to obscure transaction trails. Blockchain analytics firm Elliptic noted an abnormal spike in SwftSwap transaction volumes coinciding with the Atomic Wallet and CoinsPaid hacks, supporting the conclusion that Lazarus operatives exploited the latency in blockchain scoring systems (which at the time took approximately one hour to flag illicit addresses) to complete withdrawals within minutes. ZachXBT and researcher Taylor Monahan (tayvano) documented that more than $8 million from the combined CoinsPaid, Atomic Wallet, and Harmony hack proceeds were batched and moved from Ethereum to Avalanche and then to Bitcoin in the days following the July 22 attack. Small amounts were also moved to the Yobit exchange.","heading":"Fund Laundering Chain — SwftSwap, Sinbad, and Avalanche Bridge","severity":"critical","sources":[{"credibility":2,"name":"lazarus-bluenoroff-research: alphapo_coinspaid.md — GitHub (tayvano/ZachXBT)","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/alphapo_coinspaid.md"},{"credibility":2,"name":"What We Know About Sinbad – the Mixer Sanctioned by OFAC — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/us-treasury-sanctions-north-koreas-preferred-mixer-sinbad"},{"credibility":2,"name":"The Lazarus Hack of CoinsPaid: How Attackers Stole and Laundered $37M USD","type":"news_article","url":"https://www.einpresswire.com/article/649035247/the-lazarus-hack-of-coinspaid-how-attackers-stole-and-laundered-37m-usd"},{"credibility":2,"name":"U.S. Sanctions Crypto Mixer Sinbad.io for Role in North Korean Laundering — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-mixer-sinbad-sactioned-north-korean-laundering/"},{"credibility":2,"name":"Is Blockchain Scoring Enough to Stop Money Laundering? — BeInCrypto","type":"news_article","url":"https://beincrypto.com/blockchain-scoring-inadequate-stop-money-laundering/"}]},{"content":"On January 5, 2024, CoinsPaid suffered a second security breach, losing approximately $7.5 million in cryptocurrency assets. On-chain investigator ZachXBT was among the first to publicly flag the suspicious activity, identifying approximately $6.1 million in anomalous outflows from CoinsPaid hot wallets roughly 17 hours before issuing a public alert. Blockchain security firm Cyvers subsequently identified additional unauthorized transactions involving BNB, bringing the total to approximately $7.5 million. Specific assets stolen included 4.5 million USDT, 500 ETH, 106,000 USDC, 924,000 BSC-USD, 268.5 BNB, and 97 million CPD (CoinsPaid's native token). The attackers converted stolen assets to ETH and moved funds through the exchanges MEXC, ChangeNow, and WhiteBit. Cyvers attributed the root cause to inadequate wallet access controls and noted it had previously alerted CoinsPaid to related vulnerabilities in July 2023. Cyvers assessed the Lazarus Group as the likely perpetrator, though official attribution was not confirmed at the time of reporting. The breach occurred approximately six months after the first attack, representing the second consecutive major security failure on the platform.","heading":"January 2024 Second Breach — $7.5 Million","severity":"critical","sources":[{"credibility":2,"name":"CoinsPaid Hacked Again: $7.5 Million in Crypto Lost — BeInCrypto","type":"news_article","url":"https://beincrypto.com/coinspaid-hacked-lazarus-group/"},{"credibility":2,"name":"CoinsPaid hit by USD 7.5 million cryptocurrency breach — The Paypers","type":"news_article","url":"https://thepaypers.com/crypto-web3-and-cbdc/news/coinspaid-hit-by-usd-75-million-cryptocurrency-breach"},{"credibility":2,"name":"ZachXBT detects outflows of $6.1 million from CoinsPaid — CoinPaper","type":"news_article","url":"https://coinpaper.com/2982/coinspaid-may-be-hacked-again-losing-over-6-million"},{"credibility":2,"name":"CoinsPaid Faces Second Security Breach in Six Months — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/coinspaid-faces-second-security-breach-in-six-months/"},{"credibility":2,"name":"North Korean Hackers Linked to $7.5M Crypto Gateway Breach — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/news/2024/01/08/north-korean-hackers-linked-to-dollar75m-crypto-gateway-breach/"}]},{"content":"Blockchain analytics firm Match Systems published a report in early January 2024 asserting that the attacker who drained approximately $81.5 million from the Orbit Bridge may also have been responsible for the 2023 hacks of Atomic Wallet, CoinsPaid, CoinEx, and other services, on the basis of shared tooling, transaction patterns, and behavioral indicators consistent with Lazarus Group methodology. ZachXBT separately identified on-chain evidence that funds stolen from CoinEx (hacked September 12, 2023, $31 million) were sent to the same addresses storing proceeds from the Stake.com hack, reinforcing the attribution of all these attacks to a single threat actor. CoinsPaid's consecutive victimization thus places it within a documented pattern of Lazarus Group targeting of centralized crypto infrastructure — a campaign that in 2023 alone is estimated by the FBI and blockchain analytics firms to have netted the DPRK over $240 million from Atomic Wallet, CoinsPaid, Alphapo, and Stake.com combined.","heading":"Broader Lazarus Pattern and Orbit Chain Connection","severity":"high","sources":[{"credibility":2,"name":"Orbit hacker may have also performed CoinsPaid, CoinEx hacks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/orbit-hacker-may-have-also-performed-coinspaid-coinex-hacks-onchain-experts"},{"credibility":2,"name":"North Korea's Lazarus Group Suspected in $31 Million CoinEx Heist — The Hacker News","type":"news_article","url":"https://thehackernews.com/2023/09/north-koreas-lazarus-group-suspected-in.html"},{"credibility":1,"name":"FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com","type":"regulatory","url":"https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom"}]},{"content":"Following the July 2023 hack, CoinsPaid publicly disclosed its investigation findings in detail, including the full attack timeline and laundering chain — an unusual level of transparency for a centralized service. The company filed a police report with Estonian authorities on July 25, 2023, and stated it would cooperate with law enforcement. Operations resumed within approximately two days, and transaction volume reached 80% of pre-hack levels within roughly one week. CoinsPaid stated explicitly that no customer funds were lost and that all client balances remained intact. The company subsequently engaged undisclosed global cybersecurity agencies and conducted internal audits at all levels. Its Estonian CASP license was renewed in September 2023 after a reported 15-month regulatory review, suggesting ongoing regulator engagement. Despite these measures, CoinsPaid was breached again in January 2024. Cyvers analysts noted that their firm had flagged vulnerabilities to CoinsPaid prior to both incidents, and attributed the second breach to persistent inadequate wallet access controls, indicating the company had not fully remediated security weaknesses identified after the first attack.","heading":"Company Response and Security Posture","severity":"high","sources":[{"credibility":2,"name":"CoinsPaid resumes operations — official update","type":"official","url":"https://coinspaid.com/company-updates/coinspaid-is-back-to-processing-after-being-hit-by-hackers-attack/"},{"credibility":2,"name":"Post-Hack Update: Our Volumes Are 80% Restored — CoinsPaid","type":"official","url":"https://coinspaid.com/company-updates/post-hack-update-our-volumes-are-80-restored/"},{"credibility":2,"name":"Crypto Payments Platform CoinsPaid Exploited for $7.5M, Second Breach in Six Months — CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/academy/article/crypto-payments-platform-coinspaid-exploited-for-dollar75m-second-breach-in-six-months"}]}],"sources_used":[],"summary":"CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.","timeline":[{"date":"2023-03-01","event":"Lazarus Group begins reconnaissance campaign against CoinsPaid, including DDoS and brute-force probing and social engineering attempts posing as Ukrainian crypto startup representatives.","source":"CoinsPaid official hack explanation / Match Systems investigation","source_url":"https://coinspaid.com/company-updates/the-coinspaid-hack-explained/"},{"date":"2023-06-01","event":"Lazarus operatives begin impersonating cryptocurrency company recruiters on LinkedIn and messaging apps, offering CoinsPaid employees salaries of $16,000–$24,000/month.","source":"CoinsPaid official hack explanation","source_url":"https://coinspaid.com/company-updates/the-coinspaid-hack-explained/"},{"date":"2023-07-07","event":"Coordinated DDoS attack using over 150,000 IP addresses launched against CoinsPaid infrastructure, likely as cover or distraction for the infiltration campaign.","source":"lazarus-bluenoroff-research GitHub (tayvano/ZachXBT)","source_url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/alphapo_coinspaid.md"},{"date":"2023-07-22","event":"CoinsPaid hot wallets drained of approximately $37.3 million via authorized withdrawal requests generated after a CoinsPaid employee installed malware disguised as a legitimate job-application technical task (leveraging a compromised JumpCloud Agent). Alphapo also hacked on the same date for approximately $60 million.","source":"Bloomberg / FBI / CoinsPaid official disclosure","source_url":"https://www.bloomberg.com/news/articles/2023-08-07/fake-job-offer-opened-door-to-suspected-north-korean-crypto-hack"},{"date":"2023-07-25","event":"CoinsPaid files official incident report with Estonian law enforcement.","source":"CoinsPaid official update","source_url":"https://coinspaid.com/company-updates/hack-details-revealed-immediate-reaction-of-coinspaid/"},{"date":"2023-07-26","event":"CoinsPaid publishes public report attributing the hack to Lazarus Group based on internal investigation in collaboration with Match Systems.","source":"The Block","source_url":"https://www.theblock.co/post/241607/lazarus-group-suspected-by-coinspaid-of-37-million-hack"},{"date":"2023-07-29","event":"CoinsPaid resumes payment processing operations; states no customer funds were affected.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2023/07/29/coinspaid-resume-operations-post-hacker-attack-funds-secure/"},{"date":"2023-08-23","event":"FBI issues warning that North Korean hackers — identified as responsible for the CoinsPaid, Alphapo, Atomic Wallet, and Stake.com hacks — are preparing to liquidate proceeds.","source":"TechCrunch / FBI","source_url":"https://techcrunch.com/2023/08/23/fbi-north-korea-lazarus-crypto/"},{"date":"2023-09-01","event":"CoinsPaid's Estonian CASP license (FVT000166) renewed after 15 months of regulatory scrutiny.","source":"CoinsPaid / Fintelegram","source_url":"https://fintelegram.com/coinspaid-crypto-payment-processor-investor-briefing/"},{"date":"2023-11-29","event":"U.S. Treasury OFAC sanctions Sinbad.io cryptocurrency mixer, citing its role in laundering proceeds from the CoinsPaid and other Lazarus Group hacks. FBI, Dutch, and Finnish police simultaneously seize the Sinbad website.","source":"U.S. Treasury / CoinDesk","source_url":"https://home.treasury.gov/news/press-releases/jy1933"},{"date":"2024-01-05","event":"CoinsPaid suffers a second hack, losing approximately $7.5 million across USDT, ETH, USDC, BNB, and CPD tokens. Funds subsequently routed through MEXC, ChangeNow, and WhiteBit.","source":"BeInCrypto / CryptoNews","source_url":"https://beincrypto.com/coinspaid-hacked-lazarus-group/"},{"date":"2024-01-06","event":"ZachXBT publicly flags approximately $6.1 million in suspicious outflows from CoinsPaid hot wallets; blockchain security firm Cyvers independently confirms broader losses totaling $7.5 million and attributes root cause to inadequate wallet access controls.","source":"CoinPaper","source_url":"https://coinpaper.com/2982/coinspaid-may-be-hacked-again-losing-over-6-million"},{"date":"2024-01-08","event":"Match Systems publishes analysis asserting potential link between the CoinsPaid second breach, the Orbit Bridge hack ($81.5 million), and prior Lazarus Group operations based on shared on-chain patterns.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/orbit-hacker-may-have-also-performed-coinspaid-coinex-hacks-onchain-experts"}]},"v":1}