Coinbase, one of the world’s largest cryptocurrency exchanges, was recently targeted in a sophisticated cyberattack that appears to have been conducted by the same threat group that targeted Twilio, Cloudflare and many others last year.
Coinbase revealed on Friday that its employees were targeted in an SMS phishing campaign on Sunday, February 5. The targeted workers received text messages instructing them to urgently log in to their account through a provided link.
A majority of employees ignored the fake warning, but one of the recipients did click on the link and entered their username and password.
Since Coinbase protects employee accounts with two-factor authentication (2FA), the attacker could not immediately use the compromised credentials. However, the hacker was not discouraged and 20 minutes later they called up the employee pretending to be from the corporate IT department.
The victim followed the attacker’s instructions and logged into their workstation. The suspicious activity triggered alarms with Coinbase’s security team, which alerted the targeted employee before the hacker could gain too much access.
However, the cryptocurrency exchange admitted that the threat actor did manage to obtain some limited contact information for Coinbase employees, including names, email addresses and phone numbers. The company is confident that customer information was not compromised and the attackers did not steal any funds.
Coinbase’s investigation revealed that the attack was likely conducted by a sophisticated threat actor known as 0ktapus, which last year targeted Twilio, Cloudflare and at least 130 other organizations with similar SMS-based phishing messages.
0ktapus, also known as Scattered Spider, is a financially motivated group that made headlines in the past months for its sophisticated attack methods. In some attacks, the cybercriminals targeted telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping.
Coinbase has shared information on the tactics, techniques and procedures (TTPs) that its security team observed during this attack.
Related: Documents, Code, Business Systems Accessed in Reddit Hack
Related: Zendesk Hacked After Employees Fall for Phishing Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
