On June 22, 2024, at approximately 18:00 UTC, our team at CoinStats detected abnormal activity related to transfers involving the third-party supported, non-custodial CoinStats Wallet. In response to this event, we immediately took down the entire platform to initiate a thorough investigation and contacted the third-party wallet service provider to take any appropriate measures. At around 23:00 UTC we were able to identify and share the list of the affected wallets.
Upon further investigation, we discovered unauthorized access to parts of our infrastructure and third-party service providers, including HashiCorp Vault located in our infrastructure, which secured CoinStats Wallet 2FA keys(PINs) and a 3rd party wallet as a service provider APIs. Despite security protocols in place that segregated access controls and maintained any private keys outside of the control of CoinStats, through a combination of unauthorized intrusions across multiple services – including outside of CoinStats – the sophisticated (and we believe nation-state affiliated) attacker managed to access private keys of exactly 1590 CoinStats Wallets, resulting in the theft of approximately $2.2 million worth of cryptocurrency. The investigation into the full extent of the breach is ongoing.
In response to this breach, we promptly took the following actions:
Through collaboration with law enforcement and security researchers, we gathered enough evidence to confidently attribute the attack to the Lazarus Group or a related organization with a nation-state level of sophistication and resources.
No Connected Wallets or Exchanges Have Been Affected
We want to assure you that the funds in wallets and exchange accounts connected to CoinStats for portfolio tracking purposes, such as MetaMask, Phantom, or Binance, have not been affected by this incident. Since these accounts are not imported via private keys, your portfolio tracking remains secure. We only request read-only access for portfolio tracking, ensuring that there is no way your funds could have been affected.
Now CoinStats is Fully Operational
We completely rebuilt our production environment, ensuring no parts of the old infrastructure were used to guarantee the integrity of the new setup. As of July 3, 2024, all functionalities on CoinStats have been fully restored and are now fully operational.
Our current findings indicate the attacker's primary objective was to steal funds. Through ongoing investigation across our infrastructure, email phishing monitoring, and dark web monitoring, there is currently no evidence discovered of user data being stolen. However, as a precaution, we advise all users to remain vigilant against potential email phishing attacks and report to us if they receive any suspicious email on their CoinStats related email address which is not leaked on any data breaches.
As an additional precaution, we are also enforcing the following measures which affect the existing users:
The Highest Degree of Transparency
We are committed to maintaining the highest degree of transparency throughout this process. We will provide regular updates on our investigation and the measures we are taking to enhance security further. Our goal is to keep you fully informed and to rebuild your trust in CoinStats.
Support for Affected Users
We are profoundly sorry for the distress this attack has caused to our users. We deeply sympathize with the victims and are actively exploring ways to support them during this difficult time. This situation has been challenging for us as a company, but we remain positive and committed to making things right. As a first step, we have created a form to identify affected users and cross-check with our records .
If your wallet is on the list of affected wallets, please make sure to submit the form before August 15, 2024, 00:00 UTC to be eligible for any future support from the CoinStats team. Please note that some fields may be optional depending on your estimated amount of loss.
We appreciate your understanding and patience as we navigate through this challenging situation. We ask for your continued trust and support, which are essential for us to overcome these challenging times. Your faith in us will help us maintain our position as the best portfolio tracker and enables us to provide the necessary support to the victims of this attack.