by the investigative journalist Shana Dovi
Money laundering and fraud in the companies Coinspaid and Alphapo.
By criminals Ivan Montik, Pavel Kashuba, Dmitry Yaikov (also known as Dzmitry Yaikau) from Belarus, Roland Isaev, Paata Gamgoneishvili from Russia and Max (Maksim) Krupyshev from Ukraine.
In this first article, our investigations demonstrate that much more money got stolen from CoinsPaid than what they publicly declared. We also show that due to this theft, the equity of the company is negative which means it is bankrupt. Finally, we are going to try to understand why it is still operating in these conditions and why the Estonian authorities are not reacting as a contagion risk exists as it happened for CoinLoan.
This series of investigative articles describes how “Dream Finance OÜ”, an Estonia based company doing business as “CoinsPaid” and managed by the Berlin resident, Ukrainian Crypto Influencer, Maksim Krupyshev, is laundering hundreds of millions of euros per year with the help of a pan-european network of Belarussian expatriates, working for offshore and (mostly) illegal gambling sites while hardly respecting local labor and tax regulations.
Each article will delve in one facet of this well structured criminal endeavor and explain the role of each key character spanning from an old French female aristocrat living in Tallinn and dealing with the company’s public relations to a mythomaniac Belarusian tennis fan based in Cyprus heading the financedepartment. We will also try to understand why the Estonian authorities, who are well
aware of the activities conducted by CoinsPaid, are remaining passive.
On the 26th July 2023 in Tallinn, Estonia, following growing rumors, CoinsPaid finally publicly admitted in a blog post that the company lost USD37M after their hot wallets got hacked. The alarm was initially sounded by the crypto-analyst and investigator ZachXBT on X.
According to the official communication, CoinsPaid is suspecting the Lazarus group to have committed the hack and plans to organize a round table with all the Lazarus victims “aimed at minimizing and preventing such attacks in the future”. Moreover, CoinsPaid “ensured that customer funds stayed intact” contradicting their own declarations made in the Estonian Äripäev newspaper.
“It was not the first time but this time, it was massive; they took everything !” a former developer of CoinsPaid told us. She continued : ”They got hacked in November 2020 but no analyst saw it and therefore they didn’t go public with it. It was an internal bug that got exploited. 6 BTC, almost 600 Ether and 75.000 USDT got stolen. The code quality and development processes in the company were (and probably still are) appalling. They are coming from the online gaming industry, they have no clue how a financial company operates, especially in IT”.
The modus operandi of the hack as described by CoinsPaid was also surprising. According to them, the computer of a developper got compromised after he accepted a job interview during which the interviewer requested software to be installed on his machine. The software was a trojan horse which allowed the hackers team to take control of the production system of CoinsPaid and initiate the fraudulent transactions.
We discussed this process with a security expert; here are his comments:
“The Trojan horse approach is indeed a classic and there is always some socialengineering involved in the process. A job interview is a known approach, so their explanation holds water in that respect despite showing a major issue with the training of their staff. However, the fact that the production system was kind of freely accessible from a developer machine is breathtaking especially for a company which pretends to be the number one in the world. Their security protocols are not even weak, they are clearly non-existent. I’m not very knowledgeable about the regulatory environment in the EU for financial institutions but security protocols should be drafted and enforced. I’m wondering what the local regulator’s responsibility is in this case but there is a big elephant in the room.”.
The white hat hackers:
In January 2024, CoinsPaid got hit again and this time, the hack was detected by the Web3 security firm Cyvers. With the undisclosed November 2020 hack, it is the third security breach that impacted CoinsPaid that we are aware of. The very last one has an interesting twist though.
Cyvers published on their X account on the 6th January 2024 a message alerting the community that they’ve detected some unauthorized crypto fund movements originating from the CoinsPaid account. This time, the amount stolen was in the range of 7 millions USD.
The day after the alleged hack, Maksim Krupyshev published a blog post explaining that the funds movements were actually related to a penetration test organized by CoinsPaid in order to detect potential security weaknesses in their infrastructure. He wrote : “CoinsPaid partnered with 2 White Hackers Teams to stress test our Crypto Payment Gateway.”.
We discussed that penetration test explanation with an industry veteran who told us: “It was the stupidest explanation I’ve heard in my life considering the transactions data publicly available ! When you are dealing with White Hat Hackers, you let them prove their point by moving funds to a wallet which is out of the control of the initial holder and that’s it. Here, after the transfers were made, they started to mix the funds in order to conceal the future transactions and therefore prevent the funds to be traced. It was clearly a hack. Starting mixing the funds does not add any value to the penetration testing operation. I don’t know this Krupyshev but he is either an idiot or he is lying! Or both!”.
AlphaPo:
Those three hacks are amounting to at least 45 millions USD but according to documents we’ve seen and some witnesses, more money got stolen. Those additional funds are related to a third party company named AlphaPo and amount to 60 millions USD.
AlphaPo is based in the Caribbean island of Saint Vincent and the Grenadines, a well known tax haven with light compliance regulations. According to open source information, AlphaPo does exist but does not hold any license tooperate crypto processing services (some legislation got introduced in May 2022 to regulate the activities related to virtual assets) whereas its website says “We help businesses to use digital currencies as a payment method”.
The connection between AlphaPo and CoinsPaid became pretty obvious during the July 2023 hack as they were hit simultaneously. Such coordinated attacks are difficult to organize and require skills and precision. Hitting two targets at the same time unless they are somehow connected is a tactical non-sense. According to the CoinsPaid website, their platform is available “as a service” and that could potentially be how the two companies are connected at the technical level.
However, our investigations lead us to discover a much deeper relationship between the two companies. We found out that they not only use the same technology but are run by the same group of people. Even the compliance department is shared between the two entities leading to a major issue in terms of confidentiality and conflict of interests.
A compliance officer from CoinsPaid told us: “The official story we have to tell to anyone including the authorities is that AlphaPo is either ‘unrelated to us’ or ‘a client of ours’ (depending on the case) but everybody at CoinsPaid knows it is actually us! I’ve never felt comfortable with that as I had to lie to the Estonian Police several times pretending we could not be of any help with their questions whereas we could. During our daily compliance meeting, both CoinsPaid and AlphaPo compliance issues are discussed simultaneously”.
A former collaborator of the company added: “Of course they are the same company in practice. Krupyshev, Akulenko, the former COO, Kashuba and, I guess, Montik know perfectly well that the two companies are just fronts for the same team and technology, they even have a channel on their Slack to discuss if a client is on-boarded to CoinsPaid or AlphaPo. Sometimes, they move clients from one platform to the other without compensation for the company the client is departingfrom. I’ve seen customers acquired at the expense of CoinsPaid which are then migrated to AlphaPo because their risk level is too high. No compensation is paid to CoinsPaid as far as I know though”.
The negative equity mystery:
According to their website, CoinsPaid operates through various legal entities in Poland, Estonia, El Salvador and Lithuania. Besides Estonia, we could not find any proof that any other entities are holding any license allowing them to conduct crypto-payment processing activities. Only the Estonian entity is clearly licensed.
After consulting the various yearly reports from CoinsPaid that are freely available on the Estonian authorities website, we’ve noticed that the actual assets of the company were amounting to 96 millions EUR and their liabilities to 85 millions EUR at the end of 2022. The liabilities are short term for close to 100% of the amount.
With this data, the various announcements from CoinsPaid and their quarterly declarations, we’ve managed to create a synthetic view of their financials at the moment of the July 2023 hack. We estimate that in July 2023, the assets were reaching 105 millions EUR and their liabilities were at 90 millions EUR.
At that moment, the loss due to the known hacks are roughly amounting 90 millions EUR (EURUSD exchange rate at 1.1) which means that the remaining assets are around 15 millions EUR vs. liabilities of 90 EUR, for an resulting negative equity of -75 millions. And this is not even accounting for the January 2024 hack and any other problems CoinsPaid might have had which didn’t go public and which
would negatively impact the ratio!
We presented the company financials including our estimation to a professional analyst and he confirmed our analysis in a staggering way: “This type of business is not capital intensive but considering their revenue and the quantity ofpeople working for them, running a Kebab chain is more profitable. I don’t see much value in that company especially considering the type of business they are dealing with which seems pretty risky and unstable.”. He added: “One thing I’m sure of is that they are broke”.
“I came to that conclusion myself some time ago”, declared a former executive of CoinsPaid. “Negative equity is a huge warning signal for a company and this kind of situation should be dealt with immediately. For a financial entity, being in negative equity concretely means that all of the customers’ funds are lost and that a contagion risk exists for other financial entities. It happened in 2008 to some banks in Iceland or to some Forex brokers in 2014 when the national Swiss bank stopped the pegging of the Swiss franc with the euro”.
Even more surprising is the non-reaction of the Estonian authorities. All the data on which we’ve based our analysis have been available since August 2023 but the Estonian authorities, and more specifically the FIU, renewed Dream Finance’s license in October 2023.
The quiet customers:
CoinsPaid processes crypto payments for a network of 800 merchants but we could not find any evidence of complaints from those merchants except messages coming from their customers who were discussing the slow processing of their deposit / withdrawals at the time of the hack.
We looked into that topic with a competitor of CoinsPaid. He told us: “It is always frightening to see a competitor getting hacked because we are all exposed but it also offers an opportunity to catch some of their customers. Thanks to a thorough analysis of the disclosed hacked addresses, we were able to identify and reach their customers. None of them went back to us to ask for more information. I’ve never seen that. It is puzzling. The only economic activity I’m aware of where participants accept to lose all their money once in a while, is the drug trafficking industry.