A sophisticated threat actor hit cryptocurrency exchange Coinbase

The Coinbase cryptocurrency exchange was the victim of a sophisticated cyberattack, experts believe is was targeted by Twilio hackers.

A sophisticated threat actor launched a smishing campaign against the employees of the cryptocurrency exchange Coinbase.

According to the company, on February 5, 2023, some of its employees received text messages requesting them to urgently log in to their accounts using an embedded link.

Most of the employees ignored the message, but the company revealed that one employee clicked the link and enters provided his credentials. Once “logging in”, the employee is prompted to disregard the message.  

Since Coinbase supports two-factor authentication (2FA) to protect the account of its employees, the threat actor was not able to access the account of this employee. However, after 20 minutes, the hackers called up the employee pretending to be from the corporate IT department and requested him to log into his workstation.

The employee followed the instructions provided by the attackers and logged into his workstation. The good news is that Coinbase’s security team detected suspicious activity and immediately alerted the targeted employee locking out the hacker.

The company’s CSIRT team immediately suspended all access for the targeted employee and launched an investigation into the attack.

“Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers.” reads the statement published by the cryptocurrency exchange.

Coinbase pointed out that threat actors did access customer data and were not able to steal any funds.

Evidence collected by Coinbase revealed that the attack was likely conducted by the threat actor 0ktapus, which was behind the attacks against at least 130 other organizations, including Twilio and Cloudflare.

Domain patterns: sso-*.com, *-sso.com, dashboard-*.com, *-dashboard.com– AnyDesk & ISLonline RMM tools– MullvadVPN– Calls/Texts from: Google Voice, Skype, Vonage/Nexmo, Bandwidth– EditThisCookie browser extension – riseup[.]net used to copy & paste data (for exfil)— Will (@BushidoToken) February 18, 2023Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Smishing)

The post A sophisticated threat actor hit cryptocurrency exchange Coinbase appeared first on Security Affairs.