Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/coinstatsawscompromisewalletsdrained.php}} {{Unattributed Sources}} CoinStats Application Logo/HomepageCoinStats provides a suite of utilities to assist with managing and tracking portfolio positions. On June 22nd, users started getting strange push notifications attempting to scam them, before wallets which were created through the application were drain..."

2024-09-18T21:01:51Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/coinstatsawscompromisewalletsdrained.php}} {{Unattributed Sources}} thumb|CoinStats Application Logo/HomepageCoinStats provides a suite of utilities to assist with managing and tracking portfolio positions. On June 22nd, users started getting strange push notifications attempting to scam them, before wallets which were created through the application were drain..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/coinstatsawscompromisewalletsdrained.php}}
{{Unattributed Sources}}

[[File:Coinstatsapp.jpg|thumb|CoinStats Application Logo/Homepage]]CoinStats provides a suite of utilities to assist with managing and tracking portfolio positions. On June 22nd, users started getting strange push notifications attempting to scam them, before wallets which were created through the application were drained. Only 1% of users created their wallets through the application itself, but in those cases, there were devastating losses. The protocol is still figuring out a recovery strategy for affected users.<ref name="slowmisthackedarchive-14420" /><ref name="coinstatstwitter-14445" /><ref name="narekgevorgyantwitter-14446" /><ref name="narekgevorgyantwitter-14447" /><ref name="coinstatsapp-14448" /><ref name="x-14449" /><ref name="x-14450" /><ref name="x-14451" /><ref name="x-14452" /><ref name="x-14453" /><ref name="x-14454" /><ref name="unnamed-15101" />

== About CoinStats ==
"Manage All Your Wallets & Exchanges From One Place Connect your entire portfolio to track, buy, swap, and stake your assets."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - CoinStats AWS Compromise Wallets Drained
!Date
!Event
!Description
|-
|June 22nd, 2024 12:17:00 PM MDT
|Notes About Scam
|CoinStats publishes an update reporting that many users are receiving a scam message from CoinStats. According to comments, this should only be possible with the API key for push notifications.
|-
|June 22nd, 2024 1:56:00 PM MDT
|Issues With Wallets
|CoinStats notes that they "are currently experiencing a security incident affecting wallets created directly within CoinStats; this does not impact externally connected wallets". The text "If you have your private key exported, move your funds ASAP." is added a minute later.
|-
|June 22nd, 2024 3:53:00 PM MDT
|CoinStats Tweets Update
|The CoinStats team tweets an update for users to notify that they have sucpended user activities temporarily due to the attack. They provided a list of affected wallets.
|-
|June 24th, 2024 7:41:00 AM MDT
|Mostly Back Online
|The CoinStats team provides an update to indicate that the application is mostly back online and they are still working on restoring the remaining functionality. They plan to release an announcement with all details of the incident.
|-
|June 25th, 2024 7:17:00 AM MDT
|Wallets Draining Still
|CoinStats reports that "there are still accounts that are being drained from the breached private keys". "If your CoinStats Wallet address is on the previously published list and you have access to the private key, please move any remaining funds immediately."
|-
|June 25th, 2024 11:53:00 PM MDT
|Private Key Export
|CoinStats releases a guide for any users who still have funds to be able to empty their wallets into another wallet.
|-
|June 26th, 2024 2:01:00 AM MDT
|Narek Update Posted
|Narek Gevorgyan, the CEO of CoinStats, shares an update which highlights that their AWS infrastructure was hacked through a likely social engineering attack on one of their developers. They are waiting for details from law enforcement before publishing the more detailed post-mortem.
|-
|June 27th, 2024 3:00:00 AM MDT
|List Of Wallet Addresses
|A list of EVM wallet addresses where funds have been moved is provided by Narek. He requests assistance to track the funds.
|}

== Technical Details ==
"Our AWS infrastructure was hacked, with strong evidence suggesting it was done through one of our employees who was socially engineered into downloading malicious software onto his work computer."

== Total Amount Lost ==
The total amount lost has been estimated at $2,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
"Cryptocurrency portfolio management company CoinStats temporarily suspended user activities after 1,590 crypto wallets were affected by a security incident. CoinStats stated, "The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident. None of the connected wallets and CEXes were impacted. Thanks to the immediate incident reponse from the CoinStats team, only 1.3% of all CoinStats Wallets were affected, totaling 1,590 wallets. The list might change as the investigation is ongoing but we don’t expect significant changes.""

== Ultimate Outcome ==
"The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident.

1. None of the connected wallets and CEXes were impacted.

2. Thanks to the immediate incident reponse from the CoinStats team, only 1.3% of all CoinStats Wallets were affected, totaling 1,590 wallets. The list might change as the investigation is ongoing but we don’t expect significant changes.

3. If your wallet address is in this affected list, please move your funds immediately using your exported private key (if you have exported previously): https://docs.google.com/spreadsheets/d/1Lwxpy2T6W7aptjBJUio0Z01zihsqknXn6KPhzawQLVI/

4. We are actively investigating the extent of funds moved and will provide updates as soon as they become available.

We're actively working to bring the app back online as quickly as possible. Thank you for your patience."

"Seeing all this happen to something you've worked hard on for 6 years is tough, especially since it occurred because of a secondary feature. The CoinStats Wallet, used by no more than 1% of all our users, was certainly not the reason people loved our product.

I empathize with those who lost money; I'm sure their situation is just as difficult. CoinStats will definitely support the victims of the hack, and we've been discussing options internally."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
"Thank you for your update and for your continued dedication to CoinStats over the past six years. I understand how challenging it must be to see such hard work impacted by this unfortunate incident.

The success and trust in our industry rely on companies like CoinStats taking full accountability for their actions. This includes making sure those affected by the recent hack are adequately compensated. It is vital for the integrity of our ecosystem that those harmed, including our founder BLURR.ETH who lost $8.7 million due to this breach, are made whole.

We appreciate your commitment to supporting the victims and look forward to a detailed update on how CoinStats plans to address these losses and enhance security measures to prevent future occurrences."

"I wanted to share the list of the EVM wallets where significant portion of the stolen funds are sitting currently. (Totaling around $1.8-1.9m)

We would appreciate any help to monitor / track sources of those wallets in order to be able to recover any amount of funds.

0xe25ca22d0b0820295953f57e53da9b96c32b9237
0xbb84aca7e688eb0841f20dbe0b3e906a5b94c02d
0x10f3b2e121653564bad2bc75e86fa007d1038553
0x74cc3109e2646336e55dd3c4328e02b5cbecc589
0x89215b0f53b902fb580c4b177e4220230293522d
0xb33eff60375b29c6fc8d9da3bd89a65934a08eb9
0x00b03fe97b4d7b1f8948b68d0065344d37aad193
0x0e249592fc5ea4d7fb590bf5ecfa92757572609a
0x92106823b4b64c5a21df02676bd39fd53f3ed753
0x0340f1b9a75a38e487687ee7c41052a70c7224a9
0x45ba1562b7a4d7a3fa5150bdf0107299f35f0b97
0x99c6518a994ce44f110a081e9e17f334828fbac0
0x580c1f75a732555be26d83938a8a1ed51768aa4a
0x6b42900261f7729583cb81e294a58267eff3c5b7
0x0e70fd0271b41ca77a2efdcb07ab178602122d8c
0x12b0128fb5cf9ca6a6a4370b0e567c6c35c575c7
0x48a9dbbca590d3269db882f30db59c72f8f6fd4b
0x8186e7cd489dcda68875ff06df48a40624c8ca7c
0x42e4e114bbde931b2de5c5cdb1b1c0ca783f24fa
0x19ff1c100323b52611ada86a2a576615a283b150
0x5bcfd99c34cf7e06fc756f6f5ae7400504852bc4
0xb0621ece074216f57f4105b8a60c2eb6c3556ce9
0xadfb847b23297b396177e4f6aa0961216311d723
0xF20B76317FaAEA4DEaDdB170Ef692dd9C606707c
0xfd03F78Fc2EaD3814abc9Dc6B7f357415FbBE11D
0x19a1ce39b06480063fb2d76f160b294239b0f725
0xd83611dc27fe606d85e4fde4aa308c84b71d0604"
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmisthackedarchive-14420">[https://web.archive.org/web/20240624184511/https://hacked.slowmist.io/ SlowMist Hacked - SlowMist Zone] (Accessed Jun 25, 2024)</ref>

<ref name="coinstatstwitter-14445">[https://twitter.com/CoinStats/status/1804633869372559788 @CoinStats Twitter] (Accessed Jun 27, 2024)</ref>

<ref name="narekgevorgyantwitter-14446">[https://twitter.com/narek_gevorgyan/status/1805873896836440411 @narek_gevorgyan Twitter] (Accessed Jun 27, 2024)</ref>

<ref name="narekgevorgyantwitter-14447">[https://twitter.com/narek_gevorgyan/status/1806251229716107635 @narek_gevorgyan Twitter] (Accessed Jun 27, 2024)</ref>

<ref name="coinstatsapp-14448">[https://coinstats.app/p/RuAh3x8pukA9hI3 Cryptocurrency Portfolio Tracker and Research | CoinStats] (Accessed Jun 27, 2024)</ref>

<ref name="x-14449">[https://x.com/CoinStats/status/1804579591698120760 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="x-14450">[https://x.com/CoinStats/status/1804604741197893739 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="x-14451">[https://x.com/CoinStats/status/1805591157063254147 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="x-14452">[https://x.com/CoinStats/status/1805313040377954712 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="x-14453">[https://x.com/CoinStats/status/1805841850483269634 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="x-14454">[https://x.com/CoinStats/status/1805234803265974382 x.com] (Accessed Jun 27, 2024)</ref>

<ref name="unnamed-15101">[https://coinstats.app/ Crypto Tracker Trusted by 1 Million People Worldwide] (Accessed Aug 26, 2024)</ref></references>

CoinStats AWS Compromise Wallets Drained - Revision history