CoinBase 6000 Users Robbed: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/coinbase6000usersrobbed.php}}
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/coinbase6000usersrobbed.php}}
{{Unattributed Citations}}
{{Unattributed Sources}}


[[File:Coinbase.jpg|thumb|CoinBase]]Over 6,000 CoinBase users fell victim to a phishing attack, and due to an error in the SMS verification process, funds were able to be drained without completing SMS verification. CoinBase has taken many steps to prevent future phishing attacks and fully covered the losses of affected users.
[[File:Coinbase.jpg|thumb|CoinBase]]Over 6,000 CoinBase users fell victim to a phishing attack, and due to an error in the SMS verification process, funds were able to be drained without completing SMS verification. CoinBase has taken many steps to prevent future phishing attacks and fully covered the losses of affected users.


This exchange or platform is based in United States, or the incident targeted people primarily in United States.
This exchange or platform is based in United States, or the incident targeted people primarily in United States.<ref name="cryptonomist-4113" /><ref name="slowmisthacked-1160" /><ref name="coinbase-4114" /><ref name="coinbase-4115" /><ref name="morioh-4116" /><ref name="cryptonomist-4117" /><ref name="coinbaseblog-4118" /><ref name="coinbaseblog-7530" /><ref name="podcastsgoogle-10503" />
<ref name="cryptonomist-4113" /><ref name="slowmisthacked-1160" /><ref name="coinbase-4114" /><ref name="coinbase-4115" /><ref name="morioh-4116" /><ref name="cryptonomist-4117" /><ref name="coinbaseblog-4118" /><ref name="coinbaseblog-7530" /><ref name="podcastsgoogle-10503" />


== About CoinBase ==
== About CoinBase ==
Line 73: Line 72:
!Description
!Description
|-
|-
|May 15th, 2021 12:00:00 AM
|May 15th, 2021
|Main Event
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
Line 81: Line 80:
|
|
|}
|}
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


== Total Amount Lost ==
== Total Amount Lost ==
Line 100: Line 102:
== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
Proper multi-factor authentication and approval for withdrawals prevents a single action from resulting in a withdrawal. CoinBase has fully reimbursed all affected users so there were no losses in this case.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:End}}
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:End}}
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}


== Prevention Policies ==
{{Prevention:Regulators:End}}
Proper multi-factor authentication and approval for withdrawals prevents a single action from resulting in a withdrawal. CoinBase has fully reimbursed all affected users so there were no losses in this case.


== References ==
== References ==
<references><ref name="cryptonomist-4113">[https://en.cryptonomist.ch/2021/10/05/coinbase-phishing-attack-6000-users-robbed/ Coinbase reveals phishing attack, 6000 users robbed - The Cryptonomist] (Oct 4, 2021)</ref>
<references><ref name="cryptonomist-4113">[https://en.cryptonomist.ch/2021/10/05/coinbase-phishing-attack-6000-users-robbed/ Coinbase reveals phishing attack, 6000 users robbed - The Cryptonomist] (Oct 5, 2021)</ref>


<ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 25, 2021)</ref>
<ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 26, 2021)</ref>


<ref name="coinbase-4114">[https://www.coinbase.com/ https://www.coinbase.com/] (Dec 3, 2021)</ref>
<ref name="coinbase-4114">[https://www.coinbase.com/ https://www.coinbase.com/] (Dec 4, 2021)</ref>


<ref name="coinbase-4115">[https://www.coinbase.com/about https://www.coinbase.com/about] (Dec 3, 2021)</ref>
<ref name="coinbase-4115">[https://www.coinbase.com/about https://www.coinbase.com/about] (Dec 4, 2021)</ref>


<ref name="morioh-4116">[https://morioh.com/p/2490cc6cf89a Morioh] (Dec 3, 2021)</ref>
<ref name="morioh-4116">[https://morioh.com/p/2490cc6cf89a Morioh] (Dec 4, 2021)</ref>


<ref name="cryptonomist-4117">[https://en.cryptonomist.ch/2021/08/25/coinbase-hacked-accounts-disappointed-users/ Coinbase, hacked accounts and disappointed users - The Cryptonomist] (Dec 3, 2021)</ref>
<ref name="cryptonomist-4117">[https://en.cryptonomist.ch/2021/08/25/coinbase-hacked-accounts-disappointed-users/ Coinbase, hacked accounts and disappointed users - The Cryptonomist] (Dec 4, 2021)</ref>


<ref name="coinbaseblog-4118">[https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4 https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4] (Dec 3, 2021)</ref>
<ref name="coinbaseblog-4118">[https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4 https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4] (Dec 4, 2021)</ref>


<ref name="coinbaseblog-7530">[https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85 https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85] (Apr 23, 2022)</ref>
<ref name="coinbaseblog-7530">[https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85 https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85] (Apr 23, 2022)</ref>


<ref name="podcastsgoogle-10503">[https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy5tZWdhcGhvbmUuZm0vZGFya25ldGRpYXJpZXM/episode/NGE3NTI1NzItNjFmZS0xMWVjLTk0NDItYWJiMDVhYTQwY2U0?ep=14 Darknet Diaries - 112: Dirty Coms] (Feb 5, 2023)</ref></references>
<ref name="podcastsgoogle-10503">[https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy5tZWdhcGhvbmUuZm0vZGFya25ldGRpYXJpZXM/episode/NGE3NTI1NzItNjFmZS0xMWVjLTk0NDItYWJiMDVhYTQwY2U0?ep=14 Darknet Diaries - 112: Dirty Coms] (Feb 5, 2023)</ref></references>

Latest revision as of 17:51, 2 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CoinBase

Over 6,000 CoinBase users fell victim to a phishing attack, and due to an error in the SMS verification process, funds were able to be drained without completing SMS verification. CoinBase has taken many steps to prevent future phishing attacks and fully covered the losses of affected users.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5][6][7][8][9]

About CoinBase

"Coinbase is a secure platform that makes it easy to buy, sell, and store cryptocurrency like Bitcoin, Ethereum, and more." "As the leading mainstream cryptocurrency exchange in the United States, Coinbase has become a standard on-ramp for new crypto investors. Coinbase offers a wide variety of products including cryptocurrency investing, an advanced trading platform, custodial accounts for institutions, a wallet for retail investors, and its own U.S. dollar stable-coin." "Approximately 73 million verified users, 10,000 institutions, and 185,000 ecosystem partners in over 100 countries trust Coinbase to easily and securely invest, spend, save, earn, and use crypto."

"Coinbase was founded in 2012 and is a fully regulated and licensed cryptocurrency exchange supporting all U.S. states except Hawaii. Coinbase initially only allowed for Bitcoin trading but quickly began adding cryptocurrencies that fit its decentralized criteria."

"Its list expanded to include Ethereum, Litecoin, Bitcoin Cash, XRP, and many others with the promise of more as long as its requirements are met."

"Between April and early May 2021, the Coinbase security team observed a significant uptick in Coinbase-branded phishing messages targeting users of a range of commonly used email service providers (you can learn more about phishing in our Help Center.) Though the attack was broad, it demonstrated a higher degree of success bypassing the spam filters of certain older email services."

"The messages used a wide variety of different subject lines, senders, and content. It sometimes sent multiple variations to the same victims. Depending on the variant of email received, different techniques to steal credentials were used as well. The following screenshots show a representative victim experience, but wouldn’t necessarily have been seen in exactly this order by all victims."

"According to a notification letter submitted by Coinbase to the California Attorney General’s Office to affected customers, a vulnerability that allows hackers to bypass Coinbase’s multi-factor authentication SMS option has affected at least 6,000 Coinbase users between March and May 2021. During the 20th day, hackers took advantage of this omission to access the accounts of affected users and transfer user funds from Coinbase."

"Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account. With access to these accounts, the attacker was able to transfer funds to crypto wallets unassociated with Coinbase."

“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor”.

"Coinbase specifies that even those using two-factor authentication or 2FA account protection would still have been hacked due to a flaw in Coinbase’s SMS account recovery process."

"At no point did the attackers breach Coinbase’s security infrastructure or broader systems, and we have made changes to prevent this type of attack succeeding in the future."

"Once we learned of the attack, we took a number of steps to protect our customers, including working with external security partners to take down malicious domains and websites associated with the phishing campaign, as well as notifying the email service providers most impacted by the attack."

"After Coinbase learned of this issue, it immediately updated its SMS account recovery agreement to prevent hackers from further bypassing the authentication process. In addition, Coinbase will deposit funds of the same value into the accounts of affected users. Coinbase has also been working closely with law enforcement agencies and is conducting an internal investigation into the incident."

“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost”

"At the moment, the total amount robbed and to be refunded has not been stated. The crypto giant is reportedly running an update on the SMS-based 2FA that should make it even stronger in protecting accounts."

“Our goal is to protect our customers as they participate in the cryptoeconomy while also providing them the best user experience possible. That said, we recognize that our work is never done when it comes to security and support — and they remain a top priority for Coinbase.”

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - CoinBase 6000 Users Robbed
Date Event Description
May 15th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Proper multi-factor authentication and approval for withdrawals prevents a single action from resulting in a withdrawal. CoinBase has fully reimbursed all affected users so there were no losses in this case.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Coinbase reveals phishing attack, 6000 users robbed - The Cryptonomist (Oct 5, 2021)
  2. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  3. https://www.coinbase.com/ (Dec 4, 2021)
  4. https://www.coinbase.com/about (Dec 4, 2021)
  5. Morioh (Dec 4, 2021)
  6. Coinbase, hacked accounts and disappointed users - The Cryptonomist (Dec 4, 2021)
  7. https://blog.coinbase.com/what-you-need-to-know-about-sms-phishing-attacks-371922915af4 (Dec 4, 2021)
  8. https://blog.coinbase.com/continuing-our-commitment-to-customers-introducing-phone-support-for-atos-c9ca788bf85 (Apr 23, 2022)
  9. Darknet Diaries - 112: Dirty Coms (Feb 5, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CoinBase_6000_Users_Robbed&oldid=4032"