QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
MAY 2021
UNITED STATES
COINBASE
DESCRIPTION OF EVENTS
"Coinbase is a secure platform that makes it easy to buy, sell, and store cryptocurrency like Bitcoin, Ethereum, and more." "As the leading mainstream cryptocurrency exchange in the United States, Coinbase has become a standard on-ramp for new crypto investors. Coinbase offers a wide variety of products including cryptocurrency investing, an advanced trading platform, custodial accounts for institutions, a wallet for retail investors, and its own U.S. dollar stable-coin." "Approximately 73 million verified users, 10,000 institutions, and 185,000 ecosystem partners in over 100 countries trust Coinbase to easily and securely invest, spend, save, earn, and use crypto."
"Coinbase was founded in 2012 and is a fully regulated and licensed cryptocurrency exchange supporting all U.S. states except Hawaii. Coinbase initially only allowed for Bitcoin trading but quickly began adding cryptocurrencies that fit its decentralized criteria."
"Its list expanded to include Ethereum, Litecoin, Bitcoin Cash, XRP, and many others with the promise of more as long as its requirements are met."
"Between April and early May 2021, the Coinbase security team observed a significant uptick in Coinbase-branded phishing messages targeting users of a range of commonly used email service providers (you can learn more about phishing in our Help Center.) Though the attack was broad, it demonstrated a higher degree of success bypassing the spam filters of certain older email services."
"The messages used a wide variety of different subject lines, senders, and content. It sometimes sent multiple variations to the same victims. Depending on the variant of email received, different techniques to steal credentials were used as well. The following screenshots show a representative victim experience, but wouldn’t necessarily have been seen in exactly this order by all victims."
"According to a notification letter submitted by Coinbase to the California Attorney General’s Office to affected customers, a vulnerability that allows hackers to bypass Coinbase’s multi-factor authentication SMS option has affected at least 6,000 Coinbase users between March and May 2021. During the 20th day, hackers took advantage of this omission to access the accounts of affected users and transfer user funds from Coinbase."
"Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account. With access to these accounts, the attacker was able to transfer funds to crypto wallets unassociated with Coinbase."
“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor”.
"Coinbase specifies that even those using two-factor authentication or 2FA account protection would still have been hacked due to a flaw in Coinbase’s SMS account recovery process."
"At no point did the attackers breach Coinbase’s security infrastructure or broader systems, and we have made changes to prevent this type of attack succeeding in the future."
"Once we learned of the attack, we took a number of steps to protect our customers, including working with external security partners to take down malicious domains and websites associated with the phishing campaign, as well as notifying the email service providers most impacted by the attack."
"After Coinbase learned of this issue, it immediately updated its SMS account recovery agreement to prevent hackers from further bypassing the authentication process. In addition, Coinbase will deposit funds of the same value into the accounts of affected users. Coinbase has also been working closely with law enforcement agencies and is conducting an internal investigation into the incident."
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost”
"At the moment, the total amount robbed and to be refunded has not been stated. The crypto giant is reportedly running an update on the SMS-based 2FA that should make it even stronger in protecting accounts."
“Our goal is to protect our customers as they participate in the cryptoeconomy while also providing them the best user experience possible. That said, we recognize that our work is never done when it comes to security and support — and they remain a top priority for Coinbase.”
Over 6,000 CoinBase users fell victim to a phishing attack, and due to an error in the SMS verification process, funds were able to be drained without completing SMS verification. CoinBase has taken many steps to prevent future phishing attacks and fully covered the losses of affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
Proper multi-factor authentication and approval for withdrawals prevents a single action from resulting in a withdrawal. CoinBase has fully reimbursed all affected users so there were no losses in this case.
Coinbase reveals phishing attack, 6000 users robbed - The Cryptonomist (Oct 5)
SlowMist Hacked - SlowMist Zone (Jun 26)
https://www.coinbase.com/ (Dec 4)
https://www.coinbase.com/about (Dec 4)
Morioh (Dec 4)
Coinbase, hacked accounts and disappointed users - The Cryptonomist (Dec 4)
https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4 (Dec 4)
https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85 (Apr 23)
Darknet Diaries - 112: Dirty Coms (Feb 5)
