Cyber Incident Victim: Coinbase Global, Inc.
Date:
Feb 2023
Location:
United States of America
Summary
Attackers targeted employees with SMS phishing links impersonating urgent alerts, leading one recipient to submit valid credentials. The threat actor, prevented from accessing internal systems by multi-factor authentication, then impersonated IT support via phone to manipulate the employee into following unauthorized instructions. The company’s security team detected anomalous activity within minutes, prompting the employee to terminate contact. Limited corporate directory data, including names, email addresses, and phone numbers, was compromised but no customer information or funds were accessed. Tactics mirrored those of a known threat group behind prior widespread phishing campaigns against multiple organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 5, 2023, an unidentified threat actor targeted Coinbase employees via SMS messages containing urgent login directives impersonating internal communications. Multiple engineers received these messages around late afternoon or evening on Sunday, directing them to click embedded links to view "important" information. While most employees dismissed the unsolicited alerts, one individual complied and submitted their corporate credentials on a counterfeit Single Sign-On (SSO) page masquerading as a legitimate Coinbase portal. The phishing site subsequently displayed a confirmation message instructing the user to disregard the initial SMS, completing the credential harvest. Approximately 20 minutes after obtaining valid credentials, the attacker attempted remote access to Coinbase systems but was thwarted by multi-factor authentication (MFA) controls blocking unauthorized entry despite possessing legitimate usernames and passwords.
The adversary escalated the intrusion campaign by contacting the same employee via phone, falsely identifying themselves as members of Coinbase’s IT department to solicit further assistance. During this direct engagement, the employee followed operational directives from the malicious actor—including logging into their workstation—but grew suspicious due to increasingly unusual requests. Concurrently, Coinbase’s Security Information and Event Management (SIEM) systems detected anomalous activity patterns linked to the compromised account within 10 minutes of initial access attempts. The Computer Security Incident Response Team (CSIRT) intervened by directly messaging the targeted employee, prompting immediate cessation of communication with the threat actor. Subsequent investigation confirmed that no customer funds, account details, or sensitive systems were breached. However, the attacker successfully exfiltrated limited corporate directory data consisting of employee names, email addresses, and phone numbers. Coinbase attributed the attack’s tactics—including the use of domains like sso-cbhq[.]com and infrastructure overlaps with Mullvad VPN—to a sophisticated threat group previously associated with the Scatter Swine/0ktapus phishing campaigns active since 2022. The company publicly disclosed technical indicators of compromise (IoCs) to assist other organizations in detecting similar intrusions, highlighting attempted downloads of remote desktop tools like AnyDesk, inbound communications from VoIP providers such as Google Voice, and anomalous SSO-related web traffic as key behavioral signatures. No evidence emerged suggesting systemic network infiltration or secondary payload deployment beyond credential harvesting and social engineering manipulations.