Hackers attempted to steal cryptocurrency from around 6,000 Coinbase accounts using a social engineering campaign waged in the first half of 2021.
Hackers leveraged Coinbase’s own security protocols to skirt the exchange’s multi-factor authentication procedure and steal crypto from customer accounts.
- The attacks took place between the beginning of March and May 20.
- Hackers acquired a two-factor authentication token via a phishing campaign directed at Coinbase employees.
- Coinbase said it has started to refund affected users.
Hackers took advantage of a “flaw” in Coinbase’s SMS Account Recovery process which handed them a two-factor authentication token via text.
This in turn gave the culprits access to thousands of Coinbase accounts — and their crypto. No word yet on the amount of funds lost to the scheme.
Coinbase, famous for its poor customer service, set up a hotline for clients who had their accounts drained.
Coinbase says it didn’t give up the info
Social engineering attacks directed at large companies often garner access to protected information by tricking employees into believing they’ve been contacted by a senior staff member.
Much like the Coinbase plot, bad actors then use the information to access password-protected user accounts.
In a letter, Coinbase told affected users: “While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor.
“We have not found any evidence that these third parties obtained this information from Coinbase itself,” added the Delaware-headquartered exchange.
According to Coinbase, the hackers must’ve had “prior knowledge of the email address, password, and phone number associated with an account.” They also needed access to a personal email inbox.
The same letter advised users of ways to secure their accounts, including hardware authentication and authentication apps.
Social engineering, so hot right now
Coinbase aside, some of the largest internet giants have fallen victim to social engineering attacks.
In July 2020, a fresh-faced team of teen hackers directed a similar social engineering campaign toward Twitter.
They phished their way into Twitter’s back-end systems, gaining control of around 130 verified accounts tied to celebrities including Jeff Bezos, Kanye West, and Barack Obama, as well as prominent companies like Apple.
The hackers appeared to have leveraged their newfound followings to swindle hundreds of Twitter users out of more than $100,000 in Bitcoin with a giveaway scam.
So far, authorities have detained four of the Twitter hackers. The scam mastermind will serve time in juvie.
Crypto phishers have used false Ledger wallets to trick unwitting investors into sending their crypto straight to addresses controlled by bad actors.
Follow us on Twitter for more informed crypto news.