Security Experts:

Connect with us

Hi, what are you looking for?



Coinbase Hack Linked to Group Behind Last Year’s Twilio, Cloudflare Attacks

Coinbase was recently targeted in a sophisticated phishing attack and the cryptocurrency exchange linked the hack to the 0ktapus group.

Coinbase, one of the world’s largest cryptocurrency exchanges, was recently targeted in a sophisticated cyberattack that appears to have been conducted by the same threat group that targeted Twilio, Cloudflare and many others last year.

Coinbase revealed on Friday that its employees were targeted in an SMS phishing campaign on Sunday, February 5. The targeted workers received text messages instructing them to urgently log in to their account through a provided link. 

A majority of employees ignored the fake warning, but one of the recipients did click on the link and entered their username and password.

Since Coinbase protects employee accounts with two-factor authentication (2FA), the attacker could not immediately use the compromised credentials. However, the hacker was not discouraged and 20 minutes later they called up the employee pretending to be from the corporate IT department. 

The victim followed the attacker’s instructions and logged into their workstation. The suspicious activity triggered alarms with Coinbase’s security team, which alerted the targeted employee before the hacker could gain too much access.

However, the cryptocurrency exchange admitted that the threat actor did manage to obtain some limited contact information for Coinbase employees, including names, email addresses and phone numbers. The company is confident that customer information was not compromised and the attackers did not steal any funds.

Coinbase’s investigation revealed that the attack was likely conducted by a sophisticated threat actor known as 0ktapus, which last year targeted Twilio, Cloudflare and at least 130 other organizations with similar SMS-based phishing messages. 

0ktapus, also known as Scattered Spider, is a financially motivated group that made headlines in the past months for its sophisticated attack methods. In some attacks, the cybercriminals targeted telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping.

Coinbase has shared information on the tactics, techniques and procedures (TTPs) that its security team observed during this attack. 

Related: Documents, Code, Business Systems Accessed in Reddit Hack

Related: Zendesk Hacked After Employees Fall for Phishing Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.