CoinStats, a popular cryptocurrency portfolio management app with 1.5 million users, has suffered a significant security breach affecting 1,590 cryptocurrency wallets. The attack is suspected to have been carried out by North Korean threat actors.
CoinStats allows users to manage their cryptocurrency investments, providing real-time data, news aggregation, custom alerts, and the ability to create CoinStats wallets hosted by the platform. However, users who only granted read-only access to external crypto wallets for portfolio management purposes were not affected by the breach.
In an announcement on X yesterday, CoinStats notified users of the cyberattack, which compromised 1,590, or 1.3%, of all hosted wallets on the platform. While the company shared a list of impacted wallets on a spreadsheet, some users reported funds being stolen from wallets not included on this list, suggesting the incident's scope may be broader than initially confirmed.
Users whose wallet addresses appear on the list and still contain funds are advised to transfer them immediately to an external wallet for security.
CoinStats' website and app are currently unavailable as the company investigates and mitigates the attack. The breach did not affect users' connected wallets and centralized exchanges, so it remains safe for users to continue using those services.
CoinStats' CEO indicated on X that there is substantial evidence pointing to North Korean hackers as the perpetrators, citing a CISA document about the Lazarus hacking group. The Lazarus Group is known for conducting large-scale cryptocurrency heists, targeting various cryptocurrency platforms over the years.
Recorded Future estimated in late 2023 that North Korean state-backed hackers from the Lazarus Group had stolen approximately $3 billion worth of cryptocurrency since January 2017, averaging around $500 million per year.
Following the breach, scammers have begun exploiting the situation by promoting fake refund programs in response to CoinStats' announcement on X. These scammers use unverified accounts with similar names, such as '@CoinStals', and attempt to lure users into visiting cloned websites that request wallet connections under the guise of refunds. These sites are designed to drain users' assets.
At present, CoinStats has not announced an official refund program. Therefore, all claims related to refunds should be considered fraudulent and ignored to avoid further financial losses.
The investigation into the CoinStats breach is ongoing, with the company focused on restoring service and enhancing security measures to prevent future incidents.