CoinStats, a leading cryptocurrency portfolio tracking app, revealed details of a significant security breach that resulted in the theft of approximately $2.2 million in digital assets.
As reported by crypto.news, the incident was detected on June 22, 2024. Now, a security incident report CoinStats published on Friday, July 12, provided deeper insights into the breach.
The attackers are believed to be affiliated with a highly sophisticated nation-state group. They managed to access private keys, facilitating unauthorized transfers from compromised wallets.
According to CoinStats CEO Narek Gevorgyan, the breach targeted 1,590 CoinStats wallets by exploiting vulnerabilities across multiple services.
Following the incident, CoinStats secured the remaining assets and immediately shut down its platform to conduct an investigation. The Federal Bureau of Investigation and other security experts, including ZachXBT and Tay from MetaMask, assisted in recovering the stolen funds.
“We have engaged in ongoing collaboration with security researchers and law enforcement to understand the full scope of the breach,” Gevorgyan explained. While the theft affected cryptocurrency funds, there was no evidence of compromised user data beyond the financial loss, Gevorgyan added.
Per the report, CoinStats resumed full operations on July 3 after implementing improved security protocols and comprehensive infrastructure audits.
The company said it will continue to monitor for any signs of further malicious activity. It also provided recommendations for additional security measures, including:
- Mandatory password update: The company said it would enforce a stricter password policy requiring all users to update their passwords if they do not comply with the new standards.
- Enabling 2FA: It also said it would encourage all users to enable two-factor authentication on their accounts.
CoinStats also committed to maintaining transparency throughout the investigation and pledged to provide regular updates on its progress and security enhancements. Additionally, the firm said it was actively exploring ways to support users.
What’s next: Users may report their losses and seek potential assistance, with a submission deadline of Aug. 15.
