Coinbase Reveals Recent Cyberattack Targeting Its Employees2 min read
Coinbase, a cryptocurrency exchange, suffered a cybersecurity attack on February 5th that targeted its employees. The company’s engineering team recently released a report stating that the attack involved SMS scams and impersonations of IT staff. However, the firm confirmed that no customer funds or information were affected.
According to the report, several Coinbase employees received SMS messages late on a Sunday that required them to urgently log in through a provided link to access an important message. In good faith, one employee followed the exploiter’s instructions.
“While the majority ignore this unprompted message – one employee, believing that it’s an important and legitimate message, clicks the link and enters in their username and password. After “logging in”, the employee is prompted to disregard the message and thanked for complying.”
The attacker then made several unsuccessful attempts to gain remote access to Coinbase’s internal systems using the employee’s login credentials, but was unable to bypass the Multi-Factor Authentication (MFA) security feature.
Following the failed attempts, the attacker contacted the employee by phone and claimed to be from Coinbase’s IT department, seeking their help as per the report.
“Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious.”
Coinbase’s Security Incident and Event Management (SIEM) system detected unusual activity and alerted the Computer Security Incident Response Team (CSIRT) about a cyberattack on its employees on February 5. In response to the suspicious behavior, an incident responder reached out to the affected employee through the company’s internal messaging system.
According to Coinbase’s engineering team report, the attacker attempted to gain remote access to internal systems using the employee’s credentials obtained through an SMS scam. After failing to authenticate, the attacker posed as Coinbase’s IT department and contacted the employee by phone. The employee then terminated all communication with the attacker.
Despite the attack, Coinbase’s security measures were effective in protecting customer funds and information. The company suspects that the attack is part of a larger sophisticated campaign targeting companies in the United States.
In August 2022, Group-IB, a cybersecurity company, reported a large-scale campaign that compromised 9,931 accounts of over 130 organizations, including Twilio and Cloudflare, through similar phishing attacks on their employees.
Coinbase encourages appropriate training for employees and customers to avoid falling victim to similar phishing attacks.
“Research shows again and again that all people can be fooled eventually, no matter how alert, skilled, and prepared they are. We must always work from the assumption that bad things will happen. We need to be constantly innovating to blunt the effectiveness of these attacks while also striving to improve the overall experience of our customers and employees.”