Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Coinbase Hack Linked to Group Behind Last Year’s Twilio, Cloudflare Attacks

Coinbase was recently targeted in a sophisticated phishing attack and the cryptocurrency exchange linked the hack to the 0ktapus group.

Coinbase, one of the world’s largest cryptocurrency exchanges, was recently targeted in a sophisticated cyberattack that appears to have been conducted by the same threat group that targeted Twilio, Cloudflare and many others last year.

Coinbase revealed on Friday that its employees were targeted in an SMS phishing campaign on Sunday, February 5. The targeted workers received text messages instructing them to urgently log in to their account through a provided link. 

A majority of employees ignored the fake warning, but one of the recipients did click on the link and entered their username and password.

Since Coinbase protects employee accounts with two-factor authentication (2FA), the attacker could not immediately use the compromised credentials. However, the hacker was not discouraged and 20 minutes later they called up the employee pretending to be from the corporate IT department. 

The victim followed the attacker’s instructions and logged into their workstation. The suspicious activity triggered alarms with Coinbase’s security team, which alerted the targeted employee before the hacker could gain too much access.

However, the cryptocurrency exchange admitted that the threat actor did manage to obtain some limited contact information for Coinbase employees, including names, email addresses and phone numbers. The company is confident that customer information was not compromised and the attackers did not steal any funds.

Coinbase’s investigation revealed that the attack was likely conducted by a sophisticated threat actor known as 0ktapus, which last year targeted Twilio, Cloudflare and at least 130 other organizations with similar SMS-based phishing messages. 

0ktapus, also known as Scattered Spider, is a financially motivated group that made headlines in the past months for its sophisticated attack methods. In some attacks, the cybercriminals targeted telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping.

Advertisement. Scroll to continue reading.

Coinbase has shared information on the tactics, techniques and procedures (TTPs) that its security team observed during this attack. 

Related: Documents, Code, Business Systems Accessed in Reddit Hack

Related: Zendesk Hacked After Employees Fall for Phishing Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.