Cyber Incident Victim: CoinFire
Date:
Jan 2015
Location:
United States of America
Summary
A Bitcoin news platform experienced unauthorized access to its domain registrar and Twitter account, resulting in the theft of its domain and defacement of its social media presence. Attackers associated with XPY supporters posted derogatory messages, including false claims that the organization fabricated investigative reports regarding SEC actions against a mining company and its CEO. While the Twitter account was restored with assistance from contacts, the website remained inaccessible, appearing as a parked domain. This incident followed a prior disruptive attack that compromised the site's content management system, causing operational disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 24, 2015, Bitcoin news outlet CoinFire experienced a multi-platform compromise involving its primary domain and associated Twitter account (@CoinFireBlog). The breach began with unauthorized access to CoinFire's domain registrar account, resulting in the theft of their primary domain. Executive editor Mike confirmed via a Reddit post two days prior to the incident's public disclosure that attackers identifying as XPY supporters executed the domain seizure, stating, "They logged in to our domain registrar account and had our domain taken away from us." Concurrently, attackers gained control of the Twitter account, posting derogatory messages disputing CoinFire's investigative reporting on GAW Miners and its CEO Josh Garza. These tweets falsely claimed the outlet fabricated its reporting on a Securities and Exchange Commission (SEC) investigation, specifically referencing CoinFire's possession of 1,000 pages of investigative materials detailing potential regulatory actions against Garza. Messages included "Did you know our SEC articles were fake? We made them up" and explicit threats like "Take over the domain… Take over the twitter. F*ck you coin fire." The website became inaccessible, displaying only a parked domain page following the registrar compromise.
CoinFire initiated recovery efforts immediately after detection, though uncertainty persisted regarding domain recovery. By January 23, the organization regained control of the Twitter account through assistance from a contact at Twitter, confirming via tweet that neither password compromise nor domain expiration caused the breach but characterizing it as "more serious." On January 24, CoinFire announced a new operational domain URL and plans to restore SSL encryption. The primary website remained non-functional at the time of reporting, requiring users to update bookmarks. This incident followed a September 2014 DDoS attack that had previously disrupted CoinFire's content management system, causing performance degradation and page-load failures. The 2015 breach caused operational disruption to news dissemination, reputational harm through fraudulent social media statements, and temporary loss of primary digital assets, with full website restoration efforts ongoing as of the last reported update.