Over weeks starting in May a group of hackers dubbed CRYPTO3/HYDSEVEN sent a harmless email to initially some 200 Coinbase employees.
The emails were sent from compromised accounts belonging to UK’s Cambridge University.
“The identities associated with the email accounts have almost no online presence,” Coinbase says. So Cambridge University itself might have been hacked.
There, “they prepared a series of pages by cloning and modifying existing Cambridge University pages and making them available in the personal storage directories of the attacker-controlled accounts.”
With the facade prepared, someone named Gregory Harris claimed he was a research grants administrator and wanted the Coinbase employees to help judge contestants for an economics prize.
After gaining some trust to make it all credible, the hackers figured out the more valuable targets through social engineering, sharing harmless links to the contest page in preparation for getting them to click on the exploit payload.
That was sent to only five Coinbase employees with two Firefox zero-day exploits utilized, described as:
The second one “has only been possible since May 12. This indicates a very rapid discovery-to-weaponization cycle on the part of the attacker,” Coinbase says.
It might also indicate very quick planing as perhaps through this method they hacked Cambridge University first, with this group of hackers seemingly moving pretty quickly.
Coinbase says “it feels like the work of a group that has significant experience developing exploits,” with one employee ending up clicking. At that point they “revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee.”
They also say “Coinbase Security Operations received a number of alerts about unusual endpoint activity,” with the crypto exchange and broker necessarily not giving much detail on how they stopped this hack save for to say:
“We were able to defend ourselves from this attack due to our security-first culture at Coinbase, complete deployment of our detection and response tooling, clear and well-practiced playbooks, and the ability to rapidly revoke access.”
Why they thought it fit to make this public is not clear because as a very prominent exchange, plenty assumed they were being targeted.
The question was always whether anyone will succeed. They haven’t so far and hopefully never will.