CoinsPaid Likely New Victim In A Series Of Hacks By The Lazarus Group

In a series of mysterious hacking attacks targeting cryptocurrency payment processors and service providers, CoinsPaid may have become the latest victim in what appears to be an elaborate scheme orchestrated by the notorious North Korean hackers, the Lazarus Group. 

The attack on CoinsPaid comes in the wake of recent breaches on AlphaPo and Atomic Wallet. Our investigations reveal significant connections between the three incidents, indicating the involvement of potentially the same bad actors. This conclusion is supported by on-chain data evidence and the fact that two of the attacks were orchestrated at approximately the same time. 

What is CoinsPaid?

A cryptocurrency payment processing gateway and wallet provider for businesses. The company services more than 800 merchant accounts. CoinsPaid earned the Payment Provider of the Year 2021. Their offerings include exchange services, an OTC desk for large-scale transactions and customizable crypto payment systems.

A number of CoinsPaid customers are online casino platforms that accept cryptocurrency, including 1xBit, Bitcasino, Cloudbet, Sportsbet.io and Winz.io. 

Reports reveal that some customers are impacted and CoinsPaid’s team is aware.

Twitter: CoinsPaid team acknowledging the incident and the delays customers are facing.

Our Investigation

On July 22, 2023, the cryptocurrency community was stunned as Alphapo fell victim to an illicit attack, draining more than 100 million dollars worth of crypto from hot wallets.

Using QLUETM by Blockchain Intelligence Group, our team delved into the matter to identify and flag the addresses belonging to the hackers. The investigation revealed connections to the culprit behind the recent hack on Atomic Wallet, the Lazarus Group.

Digging deeper, we discovered that a hot wallet belonging to CoinsPaid was drained of its funds. $29,688,313 were stolen and transferred to multiple intermediary addresses and later deposited into two different addresses, one with a direct connection to the Atomic Wallet hack and the other with the attack on Alphapo. 

One address belonging to CoinsPaid hackers transferred 20,885,366.1 TRX (US $1,765,654) to an address used by the Atomic Wallet hackers. The same address in addition to another one transferred 2,083,679 TRX (US $170,659) to an address used by Alphapo hackers.

QLUETM graph analysis of the funds stolen from CoinsPaid and mixed with the proceeds from Atomic Wallet and Alphapo hacks

While the culprit’s identity remains a mystery, all leads point at the Lazarus Group as very likely the perpetrators behind all 3 attacks on Atomic Wallet, Alphapo and CoinsPaid.

By utilizing our blockchain analytics tool, QLUE™, we were able to identify a pattern in the attack that bears a striking resemblance to the tactics previously employed by the Lazarus Group in previous incidents.

One of the most compelling pieces of evidence we uncovered was the use of a specific mixer in the attack on Alphapo. The mixing service utilized by the perpetrators is known as the “Sinbad” mixing service, which has been utilized by the Lazarus Group in their previous operations. 

QLUETM cross-chain graph displays the intersection between all 3 incidents

The similarities between the attack on CoinsPaid and those on AlphaPo and Atomic Wallet are particularly noteworthy. All three incidents involved the draining of significant amounts of cryptocurrency from hot wallets, suggesting a high level of sophistication and coordination among the perpetrators. Moreover, both the attack on Alphapo and CoinsPaid occurred at approximately the same time, further supporting the hypothesis that they are the work of the same threat actors.

Transparency and swift action are crucial in such situations to protect customer assets and the wider cryptocurrency community from further harm. The crypto community continues to anticipate an explanation from CoinsPaid as to why there has been a delay in elaborating on the incident.

The investigation is still in its early phase, and we are actively tracing the movement of stolen funds. We’ll continue to monitor for any additional clues on the perpetrators and the destination of the stolen funds.

Learn more about how QLUE™ helped unravel the details of the CoinsPaid hack and use it today to investigate your most sophisticated cases.

Written By: Omar Marzouk
Writer, Content marketing at Blockchain Intelligence Group


  • Solutions
  • Training
  • Resources
  • Support