Social Engineering Enabled $37 Million Theft From Crypto Firm CoinsPaid


Social engineering enabled the July 22 hacker attack and theft of $37 million from crypto payments provider CoinsPaid.

The hackers gained access to an employee’s computer by contacting them with what turned out to be a fake job offer, taking them through an interview process and tricking them into installing a program on their computers, CoinsPaid said in a Monday (Aug. 7) update on its website.

“Although you may think that such an attempt to install malicious software on the employee’s computer is obvious, the hackers had spent six months learning all possible details about CoinsPaid, our team members, our company’s structure and so on,” CoinsPaid said in the update.

Beginning in March, the company was targeted with many unsuccessful attacks, including social engineering, distributed denial of service (DDos), brute force and other forms of cyberattacks, according to the update.

After six months of failed attacks, the hacker group succeeded with the social engineering attack in which they told the CoinsPaid team member who had responded to the fake job offer to install an application in order to take a test, the update said.

This application enabled the theft of profiles and keys from the computer that allowed the hackers to gain access to the company’s infrastructure, per the update.

PYMNTS research has found that social engineering scams — which rely on tricking individuals with fraudulent interactions that appear legitimate — are difficult to combat.

Criminals use fake websites, phishing emails, malware-infected ads and a range of other online tools to gain and then exploit a victim’s trust, according to the “Digital Fraud Tracker®,” a PYMNTS and DataVisor collaboration.

Having determined the origins of the hack it suffered, CoinsPaid is now planning a roundtable event in which blockchain-related companies can discuss the challenges and minimize the impact of hacking incidents, according to the update.

“This is an important step towards creating a more secure and resilient blockchain ecosystem,” CoinsPaid said in the update. “We invite all blockchain industry leaders, cybersecurity companies, those affected by hacks and all related parties to participate in this discussion and help us start the change.”