The criminal activities surrounding CoinsPaid and Alphapo are linked to a group of individuals, including Ivan Montik, Pavel Kashuba, Dmitry Yaikov (also known as Dzmitry Yaikau) from Belarus, Roland Isaev, Paata Gamgoneishvili from Russia, and Max (Maksim) Krupyshev from Ukraine.
The CoinsPaid Scam: Unraveling the Negative Equity Mystery

In our initial investigation, we reveal that CoinsPaid has experienced far greater financial losses than publicly acknowledged. This misappropriation of funds has led to a negative equity situation, indicating that the company is effectively bankrupt. We will explore why CoinsPaid continues to operate under these circumstances and why Estonian authorities have not intervened, especially given the contagion risk reminiscent of the CoinLoan case.

This series of articles will detail how “Dream Finance OÜ,” the Estonian entity operating as CoinsPaid and managed by Maksim Krupyshev, a Ukrainian crypto influencer residing in Berlin, is allegedly laundering hundreds of millions of euros annually. This operation is facilitated by a network of Belarusian expatriates involved in offshore and predominantly illegal gambling activities, often disregarding local labor and tax laws.

Each installment will examine a different aspect of this organized criminal enterprise, highlighting key figures, from a French aristocrat in Tallinn managing public relations to a Belarusian tennis enthusiast in Cyprus overseeing the finance department. We will also investigate why Estonian authorities, who are aware of CoinsPaid’s activities, remain passive.

On July 26, 2023, CoinsPaid publicly acknowledged a loss of $37 million due to a hack of their hot wallets, following rumors that had been circulating. The initial alert was raised by crypto analyst ZachXBT on social media.

According to CoinsPaid’s official statement, they suspect the Lazarus group was behind the hack and plan to convene a roundtable with other victims to discuss prevention strategies. They also claimed that customer funds remained secure, contradicting earlier statements made to the Estonian publication Äripäev.

A former developer at CoinsPaid revealed, “This wasn’t the first incident, but this time it was significant; they took everything! They were hacked in November 2020, but no one noticed, so they didn’t disclose it. An internal bug was exploited, resulting in the theft of 6 BTC, nearly 600 Ether, and 75,000 USDT. The quality of their code and development processes was, and likely still is, appalling. They come from the online gaming sector and lack understanding of how a financial company should operate, especially in IT.”
The CoinsPaid Scam: Insights into the Hack

The method of the hack, as described by CoinsPaid, was unexpected. They claimed that a developer’s computer was compromised after he accepted a job interview during which the interviewer requested software installation. This software turned out to be a trojan horse, granting hackers access to CoinsPaid’s production system and enabling fraudulent transactions.

A security expert commented on this process: “The trojan horse tactic is classic, and social engineering is always involved. A job interview is a known method, so their explanation is plausible, although it highlights significant training deficiencies among their staff. However, the fact that the production system was accessible from a developer’s machine is astonishing, especially for a company claiming to be a leader in the field. Their security protocols are not just weak; they appear to be nonexistent. I’m not well-versed in EU regulations for financial institutions, but security protocols should be established and enforced. I wonder what the local regulator’s role is in this situation, as there’s a significant issue at hand.”

The White Hat Hackers

In January 2024, CoinsPaid faced another breach, this time detected by the Web3 security firm Cyvers. This incident, along with the undisclosed November 2020 hack, marks the third known security breach affecting CoinsPaid. The latest breach has an intriguing twist.

On January 6, 2024, Cyvers alerted the community about unauthorized crypto fund movements from CoinsPaid’s account, with losses estimated at around $7 million. The day following the alleged hack, Maksim Krupyshev published a blog post claiming that the fund movements were part of a penetration test conducted by CoinsPaid to identify security vulnerabilities. He stated, “CoinsPaid partnered with two white hat hacker teams to stress test our crypto payment gateway.”

An industry veteran critiqued this explanation: “That’s the most absurd justification I’ve ever heard, given the publicly available transaction data! When working with white hat hackers, you allow them to demonstrate their findings by transferring funds to a wallet outside the control of the original holder. Here, after the transfers, they began mixing the funds to obscure future transactions and prevent tracing. This was clearly a hack. Mixing the funds adds no value to a penetration test. I don’t know Krupyshev, but he’s either clueless or dishonest—or both!”

The AlphaPo Connection

The three hacks combined have resulted in losses totaling at least $45 million, but evidence suggests that even more funds have been misappropriated, particularly in connection with a third-party company named AlphaPo, which is linked to an additional $60 million in losses.

AlphaPo operates from the Caribbean island of Saint Vincent and the Grenadines, a well-known tax haven with lax compliance regulations. While open-source information confirms AlphaPo’s existence, it lacks the necessary licenses to provide crypto processing services, despite its website claiming, “We help businesses use digital currencies as a payment method.”

The relationship between AlphaPo and CoinsPaid became evident during the July 2023 hack, as both entities were targeted simultaneously. Such coordinated attacks require significant skill and precision, making it unlikely that they are unrelated. According to CoinsPaid’s website, their platform is offered “as a service,” which could explain a potential technical connection between the two companies.

However, our investigation has uncovered a much deeper relationship. CoinsPaid and AlphaPo not only share technology but are also managed by the same group of individuals. Their compliance departments are intertwined, leading to serious concerns regarding confidentiality and conflicts of interest.

A compliance officer from CoinsPaid disclosed, “The official narrative we present to anyone, including authorities, is that AlphaPo is either ‘unrelated to us’ or ‘a client’ (depending on the situation), but everyone at CoinsPaid knows the truth: it’s actually us! I’ve felt uncomfortable lying to the Estonian police multiple times, pretending we couldn’t assist with their inquiries when we could. During our compliance meetings, we discuss issues related to both CoinsPaid and AlphaPo simultaneously.”

A former employee added, “In practice, they are the same company. Krupyshev, Akulenko (the former COO), Kashuba, and Montik are fully aware that both companies are merely fronts for the same team and technology. They even have a Slack channel to discuss whether a client should be onboarded to CoinsPaid or AlphaPo. Sometimes, they transfer clients from one platform to the other without compensating the departing company. I’ve seen clients acquired at CoinsPaid’s expense only to be migrated to AlphaPo due to high-risk levels, with no compensation to CoinsPaid.”
The Negative Equity Mystery

According to their website, CoinsPaid operates through various legal entities in Poland, Estonia, El Salvador, and Lithuania. However, aside from Estonia, we found no evidence that any of these entities hold licenses to conduct crypto payment processing activities. Only the Estonian entity is clearly licensed.

After reviewing CoinsPaid’s annual reports available on the Estonian authorities’ website, we discovered that the company’s assets amounted to €96 million, while liabilities stood at €85 million at the end of 2022. Notably, nearly all liabilities are short-term.

Using this data, along with CoinsPaid’s announcements and quarterly reports, we constructed a synthetic view of their financial situation at the time of the July 2023 hack. We estimate that in July 2023, their assets reached €105 million, while liabilities were approximately €90 million.

At that point, losses from known hacks were estimated at around €90 million (using an exchange rate of 1.1 for EUR/USD), leaving remaining assets at about €15 million against liabilities of €90 million, resulting in a negative equity of -€75 million. This figure does not even account for the January 2024 hack or any other undisclosed issues that could further deteriorate their financial standing.

We presented our financial analysis to a professional analyst, who confirmed our findings with astonishment: “This type of business is not capital-intensive, but considering their revenue and workforce, running a kebab shop would be more profitable. I see little value in this company, especially given the risky and unstable nature of their operations.” He added, “One thing is certain: they are broke.”

A former executive at CoinsPaid echoed this sentiment: “Negative equity is a significant warning sign for any company, and such a situation should be addressed immediately. For a financial entity, being in negative equity means that all customer funds are at risk, creating a contagion risk for other financial institutions. We saw this happen in 2008 with some banks in Iceland and with Forex brokers in 2014 when the Swiss National Bank stopped pegging the Swiss franc to the euro.”
The Inaction of Estonian Authorities

Even more surprising is the lack of action from Estonian authorities. All the data supporting our analysis has been available since August 2023, yet the Estonian Financial Intelligence Unit (FIU) renewed Dream Finance’s license in October 2023.

The Silent Customers

CoinsPaid processes crypto payments for a network of 800 merchants, but we found no evidence of complaints from these merchants, aside from messages from their customers discussing delays in deposit and withdrawal processing during the hack.

We consulted a competitor of CoinsPaid, who remarked, “It’s always alarming to see a competitor hacked because we’re all exposed, but it also