Cyber Incident Victim: Coincheck
Date:
May 2020
Location:
Japan
Summary
Hackers compromised a cryptocurrency exchange's domain registrar account, hijacking its primary domain to manipulate DNS records and redirect email communications to attacker-controlled servers. The attackers conducted spear-phishing campaigns targeting customers, with approximately 200 users engaging; the exchange detected the breach through traffic anomalies and regained control, reporting no confirmed theft of funds or account breaches resulting from the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 31, 2020, hackers compromised Coincheck's account at domain registrar Oname.com, gaining control over the Japanese cryptocurrency exchange's primary domain (coincheck.com). The attackers altered the domain's DNS configuration by replacing its legitimate Amazon-managed DNS server (awsdns-61.org) with a fraudulent lookalike domain (awsdns-061.org). This modification enabled the hackers to intercept and manage DNS queries for Coincheck's systems without redirecting the exchange's entire web traffic, which would have triggered immediate detection. Instead, they exploited this access to conduct targeted spear-phishing campaigns by impersonating Coincheck's domain in communications with select customers. The attackers redirected email replies from these interactions to their own servers, attempting to harvest account verification details. Coincheck detected anomalous network traffic patterns during this period, leading to the identification of the breach. By 20:52 Tokyo time on June 1, the exchange regained control of its domain registrar account, ending the 24-hour unauthorized access window.
The incident prompted Coincheck to suspend remittance operations on June 2 while maintaining other services like withdrawals and deposits. Approximately 200 customers engaged with the fraudulent communications, potentially exposing account credentials to the attackers. However, Coincheck confirmed no evidence of subsequent unauthorized account access or fund theft stemming from the compromised data. The exchange collaborated with Oname.com during the investigation, with the registrar independently verifying the breach. This attack occurred against the backdrop of Coincheck's historical significance as the victim of a $500 million cryptocurrency theft in January 2018, though the 2020 incident involved no direct asset losses. Concurrently, Japanese exchange Bitbank disclosed an identical domain hijacking incident, suggesting potential coordination or shared vulnerabilities among regional cryptocurrency platforms. Coincheck resumed normal operations after confirming system integrity, with no further malicious activity detected post-containment.