top of page

How Coinbase efficiently discovered and block a crypto-economy attack

Coinbase, the world’s most popular bitcoin wallet has recently detailed as to how they were targeted and blocked, “a sophisticated, highly targeted and a well thought out attack” conducted to access its operating systems and take away billions of dollars worth of cryptocurrency it holds. On August 8, a blogpost was released widely detailing as to how the hackers made use of a combination of means to try and track the employees and access their operating systems by the medium of social engineering, spear-phishing, and browser zero-day exploits. 

It all began when Coinbase employees received an email in May from a University of Cambridge administrator. The email was sent by some research grants administrator at the University named Gregory Harris, who told the recipients that he required their assistance in judging for an economics prize. All this did not raise any kind of red flags in the minds of the employees. Some employees exchanged more emails not knowing that this was all a part of a deceitful scheme. 

The attacker then sent another mail on 17th June containing a URL that, if opened on a Firefox browser, would install a malware which could hijack the user’s computer. The Coinbase expert team though managed to detect and block the attack before any funds were stolen. 

Coinbase explained that there had been two diverse Firefox zero-day exploits which were utilized in the attack. One which permitted the attacker to escalate privileges from Javascript on a page to the browser (CVE-2019-11707) and one which permitted the attacker to escape the browser sandbox and implement code on the host computer (CVE-2019-11708). Samuel GroΒ, a researcher at Google’s Project Zero, independently discovered one of the bugs the attackers made use of and reported it to Mozilla on April 15. 

After the company discovered a single affected computer, they revoked all the credentials present on the machine and also locked the staffer’s accounts. By making use of compromised academic email addresses, the attackers slipped past common filtering and spam detection tools. Most of the workers who were targeted thought that they were having a genuine human communication. The attackers even created LinkedIn pages for their fake identities. 

Exposing cyber-assailants is disreputable difficult but the cyber team of Coinbase strongly believes that a shadowy group called HYDSEVEN, which has been linked to numerous assaults on crypto exchanges may be to blame. Attacks like these indicate that cryptocurrency companies should be well prepared to fend off highly skilled attackers who may exploit previously unknown vulnerabilities. 

Coinbase also reached out to Cambridge University to report and help fix the issue and also to gain more knowledge on the attacker’s methods. According to Philip Martin, the company’s chief information security officer, it was the most effort he had seen in the social engineering phase. He was highly impressed with the rapid “discovery to weaponization” speed in this case. He also estimated that launching of the attack would have cost them between half a million and a million dollars. 

Lastly, Coinbase concluded by reporting that the cryptocurrency industry has to expect attacks of this sophistication to continue and by creating an infrastructure with great defensive posture and operating with each other about the sharing of information would be a good means to defend ourselves and our valuable clients, support the developing crypto-economy and also efficiently build an open financial system of the future. 

According to Coinbase:

“The cryptocurrency industry has to expect attacks of this sophistication to continue, and by building infrastructure with excellent defensive posture, and working with each other to share information about the attacks we’re seeing, we’ll be able to defend ourselves and our customers, support the crypto-economy, and build the open financial system of the future.”

#crypto #cryptocurrency #startacompanyinestonia #companyregistration #estonia


bottom of page