Cyber Incident Victim: BIGG Digital Assets
Date:
Sep 2023
Location:
Canada
Summary
Netcoins, a cryptocurrency brokerage, experienced a cybersecurity incident where a bad actor accessed its network. The company's internal control systems detected and blocked suspicious crypto withdrawal attempts, preventing any loss of customer funds. An estimated $343,000 CAD was taken from the company's operational float. An unauthorized attempt to access customer personal information was also identified. The firm responded by resetting all customer passwords, updating internal credentials, and initiating a forensic investigation with third-party experts and law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 17, 2023, Netcoins, an online cryptocurrency brokerage owned by BIGG Digital Assets Inc., was the target of a cybersecurity incident. The company’s internal control systems, which are designed to monitor crypto-asset withdrawals, detected suspicious activity occurring on Netcoins’ hot wallets. These automated systems were triggered by attempted cryptocurrency withdrawals that fell outside of preset and tightly controlled permitted limits. The systems successfully blocked these attempted withdrawals and immediately notified Netcoins staff of the anomalous activity. This initial automated detection and blocking formed the first response to the incident.
Upon receiving the automated notification, Netcoins staff initiated an internal investigation. This investigation determined that a bad actor had gained unauthorized access to the Netcoins network. The company took immediate steps to remove this unauthorized user from its network and to reinforce the overall security of the system. The specific vulnerability that had been exploited by the attacker was addressed by the Netcoins team within one hour of its initial detection. This rapid containment action was a key component of the initial response.
The investigation confirmed that no customer funds or cryptocurrency assets were compromised during the incident. The coins that were successfully withdrawn by the bad actor originated solely from Netcoins’ own operational float. The total value of these withdrawn assets was estimated to be approximately CAD $343,000. As a direct consequence of the incident, Netcoins implemented enhanced security procedures for processing withdrawals. All subsequent cryptocurrency asset withdrawals were subjected to manual review and verification before being performed, adding a significant layer of security to the process beyond the existing automated controls.
During the investigation into the network breach, Netcoins also identified evidence of an unauthorized attempt to remove customer personal information. The company is currently working with third-party cybersecurity experts to conduct a forensic investigation to determine whether this attempted exfiltration of data was successful. The full scope and success of this aspect of the incident remain under active investigation as the company works to ascertain if any customer information was actually accessed or acquired.
As a precautionary measure in response to the incident, Netcoins performed a hard reset on all customer passwords. This action required every user of the platform to set up new credentials to regain access to their accounts following the event. In addition to the customer-facing password resets, Netcoins also updated all of its internal passwords, its password management system, and all relevant tokens and keys used across its network. These comprehensive credential updates were undertaken to prevent any further unauthorized access to its systems by the same or other threat actors.
Despite the incident, Netcoins continued to operate its platform as normal, though with enhanced security procedures in place. The company reiterated that all customer crypto assets and customer funds continued to be securely held in a 1:1 manner, meaning customer assets were fully backed and not used for any other operational purposes. The security of customers and stakeholders was stated as remaining the company's utmost priority throughout the event and its aftermath.
The forensic investigation into the cause and the full scope of the incident is being conducted with the assistance of external, third-party cybersecurity experts. This investigation remains ongoing as the company seeks to fully understand the methods of intrusion and the complete extent of the attacker's activities within its network. As part of its standard protocol for such events, law enforcement agencies have been notified of the cybersecurity incident. The company has committed to updating stakeholders as more information becomes available through the continued forensic analysis.