- Joined
- Jun 13, 2020
- Messages
- 7,299
- Reaction score
- 915
- Points
- 212
- Awards
- 2
Theft was obtained due to the naivety of one of the company's employees.
The Coinbase cryptocurrency platform reported that an unknown attacker stole the credentials of one of the employees, trying to get remote access to the company's systems.
The cybercriminal received contact information from several Coinbase <TAG1 employees> names, phone numbers, email addresses (, but the funds and customer data are not affected.
Coinbase said the cybersecurity did not allow the hacker to gain direct access to the system and prevented any loss of funds or compromising customer information. Only a limited amount of data from the Coinbase corporate catalog was disclosed.
Coinbase shared the results of her investigation to help other companies determine the tactics, methods and procedures of the attacker ( TTPs ) and establish appropriate protection.
Attack details
The attack began on February 5, when an attacker sent several Coinbase SMS engineers urging them to enter their corporate accounts to read an important notice.
Most employees ignored the messages, but one of them fell into the – trick, he went over to the link to the phishing page and entered his credentials. Then the hacker tried to enter the internal systems of Coinbase using stolen credentials, but could not do this, since access was protected by multifactorial authentication ( MFA ).
After 20 minutes, the attacker called the company employee and introduced himself as an IT specialist for Coinbase. He convinced the victim to enter his workstation and perform some actions. The CSIRT Coinbase team discovered unusual activity within 10 minutes from the start of the attack and contacted the victim to find out about unusual actions from the account. Then the employee realized that there was a cyber attack, and stopped talking with an attacker.
Will Thomas from the Equinix Threat Analysis Center ( ETAC ) discovered several additional domains related to Coinbase and corresponding to the company description, which may have been used in the attack:
The Coinbase cryptocurrency platform reported that an unknown attacker stole the credentials of one of the employees, trying to get remote access to the company's systems.
The cybercriminal received contact information from several Coinbase <TAG1 employees> names, phone numbers, email addresses (, but the funds and customer data are not affected.
Coinbase said the cybersecurity did not allow the hacker to gain direct access to the system and prevented any loss of funds or compromising customer information. Only a limited amount of data from the Coinbase corporate catalog was disclosed.
Coinbase shared the results of her investigation to help other companies determine the tactics, methods and procedures of the attacker ( TTPs ) and establish appropriate protection.
Attack details
The attack began on February 5, when an attacker sent several Coinbase SMS engineers urging them to enter their corporate accounts to read an important notice.
Most employees ignored the messages, but one of them fell into the – trick, he went over to the link to the phishing page and entered his credentials. Then the hacker tried to enter the internal systems of Coinbase using stolen credentials, but could not do this, since access was protected by multifactorial authentication ( MFA ).
After 20 minutes, the attacker called the company employee and introduced himself as an IT specialist for Coinbase. He convinced the victim to enter his workstation and perform some actions. The CSIRT Coinbase team discovered unusual activity within 10 minutes from the start of the attack and contacted the victim to find out about unusual actions from the account. Then the employee realized that there was a cyber attack, and stopped talking with an attacker.
Will Thomas from the Equinix Threat Analysis Center ( ETAC ) discovered several additional domains related to Coinbase and corresponding to the company description, which may have been used in the attack:
- sso-cbhq [. ] com;
- sso-cb [. ] com;
- coinbase [. ] sso-cloud [. ] com.
