Cryptocurrency exchanges are often attacked by hackers. An American cryptocurrency exchange, Coinbase, is an example of the exchange that is a victim of such an attack.
The course of the attack
revealed that his exchange was attacked in an extremely sophisticated manner. The goal was first of all to access Coinbase
systems and acquire cryptocurrencies worth billions of dollars
. Hackers used, among others, a method called spear phishing
(personalized phishing),that is gathering of information about the victim prior to the attack.
The attack commenced on May 30
, when many employees of the exchange began to receive emails signed by Gregory Harris of the University of Cambridge
. It looked extremely credible, because the content included very specific information. The message was a request for help in the contest in which Harris was taking part in.
This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients. Over the next couple weeks, similar emails were received. Nothing seemed amiss. There was no indication of fraud.
- declares Coinbase.
Everything looked composed until June 17,
when the sender put in the email a URL that ignited a malicious software after clicking on it. According to Coinbase, within a few hours the security department has located the problem and blocked further attack. The aim of the attack was mainly to trigger action on the Firefox browser, and it suggested MacOS users the installation of the latest version.
The thwarted attack
Despite extremely complicated and extensive ways to attack, Coinbase managed to thwart it completely. In addition to spear phishing, hackers used, among others, zero-day exploit, that is a program designed to take control of the software by detecting an error in it. The mere fact of setting up accounts and a website related to the University of Cambridge is supposed to take a huge effort.
We don’t know when the attackers first gained access to the Cambridge accounts, or whether the accounts were taken over or created. As others have noted, the identities associated with the email accounts have almost no online presence and the LinkedIn profiles are almost certainly fake.
Immediately after the discovery of the attacked computer, Coinbase stopped the operation of the entire machine, and in addition closed all accounts to which the emails were sent. Cambridge was also contacted in order to clarify and rectify this matter, as well as to discover more information about hackers.