Coinbase breached via SMS cyberattack

The cryptocurrency exchange said the attackers behind the breach are likely the same group that targeted Twilio and Cloudflare.

Coinbase suffered the cyberattack when threat actors accessed some of the company’s data, but insists that it managed to catch it in time, preventing loss of funds or user data being exposed.

“Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed,” the company said.

According to Coinbase, the attackers sent SMS alerts to several of the company’s employees, urging them to log in via an in-message link. While most staff disregarded the prompt, one employee followed the instructions, inadvertently providing attackers with their login details.

With legitimate credentials to hand, the attackers attempted remote access to the exchange’s systems. Even though the company’s cyber controls prevented the intrusion, the attackers did not stop. After the unsuccessful attempt, somebody pretending to be from Coinbase’s corporate IT department contacted the breached employee.

“Believing that they were speaking to a legitimate staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee,” the company said.

Social engineering skills allowed the attackers to access the contact information of Coinbase workers, including their names, email addresses, and phone numbers.

The company said its Computer Security Incident Response Team (CSIRT) noticed the unusual activities 10 minutes after the attack began and contacted the affected employee, ending contact with the attackers.

Coinbase believes the company fell victim to attackers behind the 0ktapus campaign. Last year, the threat actors behind this attack targeted Twilio, Cloudflare, and other major companies, compromising nearly 10,000 accounts across 130 organizations.

The wave of cyberattacks mimicked the well-known identity and access management firm Okta to gain leverage for its social engineering ploys, leading researchers to dub the campaign 0ktapus.