Coinbase’s CISO, Jeff Lunglhofer, has released a blog post that details an attack against their systems that took place on February 5th 2023. A Coinbase employee’s telephone received an SMS message informing them to urgently log in using the link provided to receive a message. The employee believe this to be a legitimate message from Coinbase and proceeded to log in using their Coinbase username and password. These credentials were captured by the attacker on their phishing site. The employee was then told to disregard the message and was thanked for complying.

The attacker tried to log in using the credentials they had harvested from the unwitting employee. However, Two-Factor Authentication (2FA) prevented the attacker from logging in. This is where the attacker became persistent.

PICKING UP THE PHONE

The attacker then called the employee they had previously phished credentials from and claimed to be from Coinbase’s IT team and that they needed assistance.

The employee believed the caller and followed the attacker’s instructions by logging on to their computer and this is where Coinbase’s transparency on the breach lacks clarity. The post goes on to say:

That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers.

Coinbase’s security team saw the employee’s actions in their security logs and responded rapidly. Coinbase hasn’t specifically outlined the steps that the attacker convinced the employee to carry out. From the rest of the report, it may be the case that the employee was told to download AnyDesk or ISL Online so that the attacker might be able to view the desktop remotely. However, this is unclear at this time.

WHO’S BEHIND IT?

Coinbase believes that the attack may have been carried out by Oktapus, a group that rose to brief prevalence in 2022 when they targeted over 100 organisations with similar methods. Rustam Mikasymov and Roberto Martinez, cyber threat researchers at Group-IB, reported on Oktapus in a detailed report in August 2022, outlining their modus operandi in great detail.