Cyber Incident Victim: Celsius Network
Date:
Apr 2021
Location:
Sweden
Summary
A cryptocurrency platform experienced a security breach via a compromised third-party email system, exposing partial customer data. Attackers impersonated the company in phishing campaigns promoting a fraudulent web wallet, offering cryptocurrency incentives to lure victims to a spoofed domain. The site prompted users to enter seed phrases for external wallets, enabling theft of digital assets. The phishing domain utilized a registrar known for association with advanced threat actors, mirroring tactics observed in prior scams targeting high-profile data breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 15, 2021, Celsius Network, a cryptocurrency rewards platform, disclosed a security breach involving a compromised third-party marketing server. According to CEO Alex Mashinsky, unauthorized actors accessed a backup email distribution system linked to a partial customer email list. The attackers exploited this access to send fraudulent emails impersonating Celsius, falsely announcing a new Celsius Web Wallet and offering recipients $500 in CEL cryptocurrency if they created a wallet using a provided promo code. The phishing campaign directed users to the domain celsiuswallet[.]network, which mimicked a legitimate Celsius service. This domain, later taken offline, prompted visitors to link their external cryptocurrency wallets and input their seed phrases—sensitive credentials that grant full control over digital assets. By harvesting these phrases, the threat actors could import and drain the contents of victims’ personal wallets. Celsius confirmed the phishing emails targeted some of its customers, though the breach impacted only a subset of its user base through the compromised third-party system.
The phishing domain celsiuswallet[.]network initially resolved via DNS records pointing to the Njalla registrar, a Sweden-based service known for its use by advanced threat actors, including Russian-linked groups like Fancy Bear and Cozy Bear. This registration pattern mirrored other malicious campaigns, such as the “Solar Leaks” site created to sell data allegedly stolen during the SolarWinds attacks. The fraudulent Celsius emails and texts leveraged social engineering tactics, urging recipients to act quickly to claim the promotional offer while concealing the theft of their seed phrases. Celsius issued an advisory clarifying that the phishing site was unrelated to its official services and emphasized that the attack aimed to compromise non-Celsius wallets. The company did not specify technical containment measures but confirmed awareness of the incident and the takedown of the malicious domain. The breach exposed customer email addresses and facilitated attempted cryptocurrency theft, though the full financial impact remained unquantified in the disclosure.