In a post-mortem of the incident published over the weekend, Coinbase said that the so-called "0ktapus" hackers stole the login credentials of one of its employees in an attempt to remotely gain access to the company's systems.
0ktapus is a hacking group that targeted more than 130 organizations in 2022 as part of an ongoing effort to steal the credentials of thousands of employees, often by impersonating Okta log-in pages. That figure of 130 organizations is now likely much higher, as a leaked CrowdStrike report seen by TechCrunch claims that the gang is now targeting several tech and video game companies.
In the case of Coinbase, the 0ktapus hackers first sent spoofed SMS text messages to several employees on February 5 advising that they needed to log in urgently using the link provided to receive an important message. One employee followed the phishing link and entered their credentials. In the next phase, the attacker tried to log into Coinbase's internal systems using the stolen credentials but failed because access was protected with multi-factor authentication.
Some 20 minutes later, the attacker used voice phishing, or "vishing," to call the employee claiming to be from the Coinbase IT team, and directed the victim to log into their workstation. This allowed the attacker to view employee information, including names, email addresses and phone numbers.
“A threat actor was able to view the dashboard of a small number of internal Coinbase communication tools and access limited employee contact information,” Coinbase spokesperson Jaclyn Sales told TechCrunch. "The threat actor was able to see, through a screen share, certain views of internal dashboards and accessed limited employee contact information."
However, Coinbase says its security team responded quickly, preventing the threat accessor from accessing customer data or funds. “Our security team was able to detect unusual activity quickly and prevent any other access to internal systems or data,” Sales added.
Coinbase said no customer data was accessed, but the company's chief information security officer, Jeff Lunglhofer, said he recommends that users consider switching to hardware security keys for stronger account access, but did not say whether it uses hardware keys internally, which cannot be phished.