Coinbase, one of the world’s largest cryptocurrency exchanges, was recently targeted in a sophisticated cyberattack that appears to have been conducted by the same threat group that targeted Twilio, Cloudflare and many others last year.
Coinbase revealed on Friday that its employees were targeted in an SMS phishing campaign on Sunday, February 5. The targeted workers received text messages instructing them to urgently log in to their account through a provided link.
A majority of employees ignored the fake warning, but one of the recipients did click on the link and entered their username and password.
Since Coinbase protects employee accounts with two-factor authentication (2FA), the attacker could not immediately use the compromised credentials. However, the hacker was not discouraged and 20 minutes later they called up the employee pretending to be from the corporate IT department.
The victim followed the attacker’s instructions and logged into their workstation. The suspicious activity triggered alarms with Coinbase’s security team, which alerted the targeted employee before the hacker could gain too much access.
However, the cryptocurrency exchange admitted that the threat actor did manage to obtain some limited contact information for Coinbase employees, including names, email addresses and phone numbers. The company is confident that customer information was not compromised and the attackers did not steal any funds.
Coinbase’s investigation revealed that the attack was likely conducted by a sophisticated threat actor known as 0ktapus, which last year targeted Twilio, Cloudflare and at least 130 other organizations with similar SMS-based phishing messages.
0ktapus, also known as Scattered Spider, is a financially motivated group that made headlines in the past months for its sophisticated attack methods. In some attacks, the cybercriminals targeted telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping.
Coinbase has shared information on the tactics, techniques and procedures (TTPs) that its security team observed during this attack.
Related: Documents, Code, Business Systems Accessed in Reddit Hack
Related: Zendesk Hacked After Employees Fall for Phishing Attack
