CoinStats AWS Compromise Wallets Drained

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CoinStats Application Logo/Homepage

CoinStats provides a suite of utilities to assist with managing and tracking portfolio positions. On June 22nd, users started getting strange push notifications attempting to scam them, before wallets which were created through the application were drained. Only 1% of users created their wallets through the application itself, but in those cases, there were devastating losses. The protocol is still figuring out a recovery strategy for affected users.[1][2][3][4][5][6][7][8][9][10][11][12]

About CoinStats

"Manage All Your Wallets & Exchanges From One Place Connect your entire portfolio to track, buy, swap, and stake your assets."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - CoinStats AWS Compromise Wallets Drained
Date Event Description
June 22nd, 2024 12:17:00 PM MDT Notes About Scam CoinStats publishes an update reporting that many users are receiving a scam message from CoinStats. According to comments, this should only be possible with the API key for push notifications.
June 22nd, 2024 1:56:00 PM MDT Issues With Wallets CoinStats notes that they "are currently experiencing a security incident affecting wallets created directly within CoinStats; this does not impact externally connected wallets". The text "If you have your private key exported, move your funds ASAP." is added a minute later.
June 22nd, 2024 3:53:00 PM MDT CoinStats Tweets Update The CoinStats team tweets an update for users to notify that they have sucpended user activities temporarily due to the attack. They provided a list of affected wallets.
June 24th, 2024 7:41:00 AM MDT Mostly Back Online The CoinStats team provides an update to indicate that the application is mostly back online and they are still working on restoring the remaining functionality. They plan to release an announcement with all details of the incident.
June 25th, 2024 7:17:00 AM MDT Wallets Draining Still CoinStats reports that "there are still accounts that are being drained from the breached private keys". "If your CoinStats Wallet address is on the previously published list and you have access to the private key, please move any remaining funds immediately."
June 25th, 2024 11:53:00 PM MDT Private Key Export CoinStats releases a guide for any users who still have funds to be able to empty their wallets into another wallet.
June 26th, 2024 2:01:00 AM MDT Narek Update Posted Narek Gevorgyan, the CEO of CoinStats, shares an update which highlights that their AWS infrastructure was hacked through a likely social engineering attack on one of their developers. They are waiting for details from law enforcement before publishing the more detailed post-mortem.
June 27th, 2024 3:00:00 AM MDT List Of Wallet Addresses A list of EVM wallet addresses where funds have been moved is provided by Narek. He requests assistance to track the funds.

Technical Details

"Our AWS infrastructure was hacked, with strong evidence suggesting it was done through one of our employees who was socially engineered into downloading malicious software onto his work computer."

Total Amount Lost

The total amount lost has been estimated at $2,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Cryptocurrency portfolio management company CoinStats temporarily suspended user activities after 1,590 crypto wallets were affected by a security incident. CoinStats stated, "The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident. None of the connected wallets and CEXes were impacted. Thanks to the immediate incident reponse from the CoinStats team, only 1.3% of all CoinStats Wallets were affected, totaling 1,590 wallets. The list might change as the investigation is ongoing but we don’t expect significant changes.""

Ultimate Outcome

"The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident.

1. None of the connected wallets and CEXes were impacted.

2. Thanks to the immediate incident reponse from the CoinStats team, only 1.3% of all CoinStats Wallets were affected, totaling 1,590 wallets. The list might change as the investigation is ongoing but we don’t expect significant changes.

3. If your wallet address is in this affected list, please move your funds immediately using your exported private key (if you have exported previously): https://docs.google.com/spreadsheets/d/1Lwxpy2T6W7aptjBJUio0Z01zihsqknXn6KPhzawQLVI/

4. We are actively investigating the extent of funds moved and will provide updates as soon as they become available.

We're actively working to bring the app back online as quickly as possible. Thank you for your patience."

"Seeing all this happen to something you've worked hard on for 6 years is tough, especially since it occurred because of a secondary feature. The CoinStats Wallet, used by no more than 1% of all our users, was certainly not the reason people loved our product.

I empathize with those who lost money; I'm sure their situation is just as difficult. CoinStats will definitely support the victims of the hack, and we've been discussing options internally."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"Thank you for your update and for your continued dedication to CoinStats over the past six years. I understand how challenging it must be to see such hard work impacted by this unfortunate incident.

The success and trust in our industry rely on companies like CoinStats taking full accountability for their actions. This includes making sure those affected by the recent hack are adequately compensated. It is vital for the integrity of our ecosystem that those harmed, including our founder BLURR.ETH who lost $8.7 million due to this breach, are made whole.

We appreciate your commitment to supporting the victims and look forward to a detailed update on how CoinStats plans to address these losses and enhance security measures to prevent future occurrences."

"I wanted to share the list of the EVM wallets where significant portion of the stolen funds are sitting currently. (Totaling around $1.8-1.9m)

We would appreciate any help to monitor / track sources of those wallets in order to be able to recover any amount of funds.

0xe25ca22d0b0820295953f57e53da9b96c32b9237 0xbb84aca7e688eb0841f20dbe0b3e906a5b94c02d 0x10f3b2e121653564bad2bc75e86fa007d1038553 0x74cc3109e2646336e55dd3c4328e02b5cbecc589 0x89215b0f53b902fb580c4b177e4220230293522d 0xb33eff60375b29c6fc8d9da3bd89a65934a08eb9 0x00b03fe97b4d7b1f8948b68d0065344d37aad193 0x0e249592fc5ea4d7fb590bf5ecfa92757572609a 0x92106823b4b64c5a21df02676bd39fd53f3ed753 0x0340f1b9a75a38e487687ee7c41052a70c7224a9 0x45ba1562b7a4d7a3fa5150bdf0107299f35f0b97 0x99c6518a994ce44f110a081e9e17f334828fbac0 0x580c1f75a732555be26d83938a8a1ed51768aa4a 0x6b42900261f7729583cb81e294a58267eff3c5b7 0x0e70fd0271b41ca77a2efdcb07ab178602122d8c 0x12b0128fb5cf9ca6a6a4370b0e567c6c35c575c7 0x48a9dbbca590d3269db882f30db59c72f8f6fd4b 0x8186e7cd489dcda68875ff06df48a40624c8ca7c 0x42e4e114bbde931b2de5c5cdb1b1c0ca783f24fa 0x19ff1c100323b52611ada86a2a576615a283b150 0x5bcfd99c34cf7e06fc756f6f5ae7400504852bc4 0xb0621ece074216f57f4105b8a60c2eb6c3556ce9 0xadfb847b23297b396177e4f6aa0961216311d723 0xF20B76317FaAEA4DEaDdB170Ef692dd9C606707c 0xfd03F78Fc2EaD3814abc9Dc6B7f357415FbBE11D 0x19a1ce39b06480063fb2d76f160b294239b0f725 0xd83611dc27fe606d85e4fde4aa308c84b71d0604"

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Jun 25, 2024)
  2. @CoinStats Twitter (Accessed Jun 27, 2024)
  3. @narek_gevorgyan Twitter (Accessed Jun 27, 2024)
  4. @narek_gevorgyan Twitter (Accessed Jun 27, 2024)
  5. Cryptocurrency Portfolio Tracker and Research | CoinStats (Accessed Jun 27, 2024)
  6. x.com (Accessed Jun 27, 2024)
  7. x.com (Accessed Jun 27, 2024)
  8. x.com (Accessed Jun 27, 2024)
  9. x.com (Accessed Jun 27, 2024)
  10. x.com (Accessed Jun 27, 2024)
  11. x.com (Accessed Jun 27, 2024)
  12. Crypto Tracker Trusted by 1 Million People Worldwide (Accessed Aug 26, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CoinStats_AWS_Compromise_Wallets_Drained&oldid=6074"