Security Incident Report: CoinStats July 12, 2024

Incident Overview

On June 22, 2024, at approximately 18:00 UTC, our team at CoinStats detected abnormal activity related to transfers involving the third-party supported, non-custodial CoinStats Wallet. In response to this event, we immediately took down the entire platform to initiate a thorough investigation and contacted the third-party wallet service provider to take any appropriate measures. At around 23:00 UTC we were able to identify and share the list of the affected wallets.

Incident Details

Upon further investigation, we discovered unauthorized access to parts of our infrastructure and third-party service providers, including HashiCorp Vault located in our infrastructure, which secured CoinStats Wallet 2FA keys(PINs) and a 3rd party wallet as a service provider APIs. Despite security protocols in place that segregated access controls and maintained any private keys outside of the control of CoinStats, through a combination of unauthorized intrusions across multiple services – including outside of CoinStats – the sophisticated (and we believe nation-state affiliated) attacker managed to access private keys of exactly 1590 CoinStats Wallets, resulting in the theft of approximately $2.2 million worth of cryptocurrency. The investigation into the full extent of the breach is ongoing.

In response to this breach, we promptly took the following actions:

1. Engagement of Security Experts: We enlisted the help of leading security researchers by the help of Security Alliance, including renowned experts like ZachXBT and Tay (Head of Security at MetaMask), to trace the stolen funds. Still ongoing.
2. Law Enforcement Involvement: We reported the security incident to local law enforcement and the FBI.
3. Platform Security Measures: To mitigate the attack, we completely rebuilt our production environment, ensuring no parts of the old infrastructure were used to guarantee the integrity of the new setup, as well as connections to compromised third parties like AWS, migrating to new accounts.
4. Comprehensive infrastructure audits: To enhance the security of our new production environment, we have taken additional steps, including hiring external top-tier security experts and conducting comprehensive infrastructure audits. More detailed security updates will be provided as our efforts continue.

Through collaboration with law enforcement and security researchers, we gathered enough evidence to confidently attribute the attack to the Lazarus Group or a related organization with a nation-state level of sophistication and resources.

No Connected Wallets or Exchanges Have Been Affected

We want to assure you that the funds in wallets and exchange accounts connected to CoinStats for portfolio tracking purposes, such as MetaMask, Phantom, or Binance, have not been affected by this incident. Since these accounts are not imported via private keys, your portfolio tracking remains secure. We only request read-only access for portfolio tracking, ensuring that there is no way your funds could have been affected.

Now CoinStats is Fully Operational

We completely rebuilt our production environment, ensuring no parts of the old infrastructure were used to guarantee the integrity of the new setup. As of July 3, 2024, all functionalities on CoinStats have been fully restored and are now fully operational.

Next Steps

Our current findings indicate the attacker’s primary objective was to steal funds. Through ongoing investigation across our infrastructure, email phishing monitoring, and dark web monitoring, there is currently no evidence discovered of user data being stolen. However, as a precaution, we advise all users to remain vigilant against potential email phishing attacks and report to us if they receive any suspicious email on their CoinStats related email address which is not leaked on any data breaches.

• Be cautious of emails from unfamiliar or suspicious domain
• Avoid clicking on links or downloading attachments from unsolicited sources
• Be wary of emails claiming to offer token airdrops

As an additional precaution, we are also enforcing the following measures which affect the existing users:

1. Mandatory Password Update: We are enforcing a stricter password policy requiring all users to update their passwords if it does not comply with the new password policy.
2. Enable 2FA: We advise all CoinStats users to enable 2-factor authentication on their CoinStats accounts.

The Highest Degree of Transparency

We are committed to maintaining the highest degree of transparency throughout this process. We will provide regular updates on our investigation and the measures we are taking to enhance security further. Our goal is to keep you fully informed and to rebuild your trust in CoinStats. 

Support for Affected Users

We are profoundly sorry for the distress this attack has caused to our users. We deeply sympathize with the victims and are actively exploring ways to support them during this difficult time. This situation has been challenging for us as a company, but we remain positive and committed to making things right. As a first step, we have created a form to identify affected users and cross-check with our records .

If your wallet is on the list of affected wallets, please make sure to submit the form before August 15, 2024, 00:00 UTC to be eligible for any future support from the CoinStats team. Please note that some fields may be optional depending on your estimated amount of loss.

We appreciate your understanding and patience as we navigate through this challenging situation. We ask for your continued trust and support, which are essential for us to overcome these challenging times. Your faith in us will help us maintain our position as the best portfolio tracker and enables us to provide the necessary support to the victims of this attack.