How Coinbase foiled a large scale hacking attack

On June 17, Coinbase suffered an attack by a sophisticated and highly targeted group of hackers. The hackers aimed to access the system of the exchange and wipe out billions of dollars worth of cryptocurrency. The exchange foiled the attack in an unanticipated move and averted the security breach.

The exchange reported to the media that the hackers had plotted the hack using a combination of tricks to hoodwink staff and access vital systems. Methods being employed included spear phishing, social engineering, and browser zero-day exploits.

The attack started with the receipt of an email sent to over a dozen staff members, from Gregory Harris, a Research Grants Administrator at the University of Cambridge. The email included past histories of employees and requested their help in judging projects competing for an award.

Since the email came from a legitimate Cambridge domain and contained no malicious elements, it passed the exchange’s spam detection and in the following weeks, similar emails were received by other staff members. The attackers continued conversation with several staffers and held back from sending any malicious code until June 17 when “Harris” sent another email that contained malware to take over someone’s machine.

Within a few hours Coinbase security detected the malware and blocked the attack. In its first stage, the malware identified the OS and browser on the intended victims’ machines, displaying a “convincing error” to macOS users who were not using the Firefox browser, and prompted them to install the latest version of the app. Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain that was registered in May. In its first stage, the attack was identified by the employee who fell prey to the attack, as well as the security team. After analyzing the attack the team concluded that Stage Two would have been another malicious payload delivered in the form of backdoor malware.

The sophistication of the attack was such that the hackers had created a landing page at the University of Cambridge website and two email accounts. The LinkedIN profiles and identities associated with attackers were fake and they had no other online presence.

Coinbase isolated the single computer that was affected and revoked all credentials on the machine. The exchange reached out to the Mozilla Security Team and shared the exploit code within a week. Cambridge University was also informed and they started investigating the methods of the attackers.

Compared to the large scale security breach on Binance in June 2019, and the $30 Million hack on Japanese exchange Bitpoint, this attack was far more sophisticated. The crypto economy is plagued by hacking attacks and it is a time for the crypto community to stay together and build better security infrastructure to foil such attacks in the future.

There is a lesson here for everyday traders. Do not leave your crypto on exchanges for long periods of time. It is not a secure wallet. Keep your crypto in a cold wallet until you need it and be wary – always.