Coinbase discloses recent cyberattack targeting employees

Crypto exchange Coinbase experienced a cybersecurity attack targeting its employees on Feb. 5. The attack came through SMS scams and involved impersonations of IT staff, according to a recent report from the company’s engineering team. No customers’ funds or information were impacted, the firm said.

As per the report, on a late Sunday several Coinbase employees received SMS messages requiring them to urgently log in via the link provided to access an important message. Acting in a good faith, one employee followed the exploiter’ instructions:

“While the majority ignore this unprompted message – one employee, believing that it’s an important and legitimate message, clicks the link and enters in their username and password. After “logging in”, the employee is prompted to disregard the message and thanked for complying.” 

The perpetrator then made repeated attempts to gain remote access to Coinbase’s internal systems with the employee’s username and password, but was unable to pass through the Multi-Factor Authentication (MFA) security measure. 

After failing to authenticate and being automatically blocked, the exploiter contacted the employee by phone. According to the report, the attacker claimed to be Coinbase’s IT department and asked the employee for assistance:

“Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious.”

Coinbase’s Computer Security Incident Response Team (CSIRT) was alerted about an unusual activity by its Security Incident and Event Management (SIEM) system. An incident responder reached out to the victim via the company’s internal messaging system in response to the atypical behavior.

“Realizing something was seriously wrong, the employee terminated all communications with the attacker”, said the report. According to Coinbase, its layered control environment protected customer funds and information, even though some of its personnel’s information had been compromised.

The company believes the attack is associated with a sophisticated attack campaign that targeted many companies since last year, especially in the United States. Cybersecurity company Group-IB reported in August 2022 similar phishing attacks on employees of Twilio and Cloudflare as part of a massive campaign ending in 9,931 accounts of over 130 organizations being compromised.

Coinbase’s team also noted that its customers and employees are frequent targets of fraudsters, and the solution lies in offering appropriate training:

“Research shows again and again that all people can be fooled eventually, no matter how alert, skilled, and prepared they are. We must always work from the assumption that bad things will happen. We need to be constantly innovating to blunt the effectiveness of these attacks while also striving to improve the overall experience of our customers and employees.”