When more than a dozen Coinbase employees got an email in May from an administrator at the University of Cambridge in the UK, nothing about the message raised any red flags. Someone named Gregory Harris, who said he was a “research grants administrator” at the university, told the recipients he needed their help judging contestants for an economics prize.
Some of the employees exchanged additional emails with this account during the next two weeks; still nothing amiss. Little did they know that this was all part of a devious scheme.
Whoever was really behind this account was playing a long game, aiming to gain access to Coinbase’s back-end network and steal some of the billions of dollars’ worth of cryptocurrency the company stores on behalf of its users. On June 17, the attacker sent another email. This time it contained a URL that, if opened in the Firefox browser, would install malware that could take over the user’s computer. According to Coinbase’s security team, it was part of a “sophisticated, highly targeted” attack.
Newly published details provide a rare look at the anatomy of an attack on a cryptocurrency exchange. The Coinbase team managed to detect and block the attack before any funds were stolen, but in the process the defenders discovered they were up against an extremely adept foe.
What was unique about the attack, says Philip Martin, the company’s chief information security officer, was its sheer cost and the unusually high level of effort behind it. “It really underscores for me how seriously the attackers are taking the [cryptocurrency] space,” he says.
These were sophisticated professionals operating on a big budget, says Martin. That’s evident in that they exploited two separate previously unknown bugs—also known as “zero-day” vulnerabilities—in Mozilla’s Firefox browser. It’s not known if the attackers in this case discovered these vulnerabilities or somehow acquired them. “Browser zero-days in general are not cheap,” says Martin, and exploiting them requires highly skilled hackers. Martin estimates that launching the attack cost between half a million and a million dollars.
Samuel Groß, a researcher at Google’s Project Zero, a security team devoted specifically to finding zero-day vulnerabilities, appears to have independently discovered one of the bugs the attackers used. He reported it to Mozilla on April 15. The second bug appeared after a change was made to Firefox’s codebase on May 12. Mozilla has issued patches for both of them.
The rapid “discovery-to-weaponization” speed in this case impressed Martin, who previously worked as Palantir’s information security lead. But it was the attack’s “really, really, really high-quality social engineering” that stood out to him the most: “This is the most effort I have seen in the social-engineering phase, period.”
By using compromised academic email addresses, the attackers slipped past common filtering and spam detection tools. Subsequent correspondence between the attackers and their marks took place over the course of weeks. Most of the people who were targeted thought they were having a genuine human interaction—the messages got personal, referencing the backgrounds of the people being phished. The attackers even apparently created LinkedIn pages for their fake identities.
Unmasking cyber-assailants is notoriously difficult, but Martin’s team thinks a shadowy group called HYDSEVEN, which has been linked to several assaults on crypto exchanges since 2016, may be to blame. Not much is known about the group other than its affinity for swiping digital coins, but according to a recent report from Japanese security company LAC, HYDSEVEN has been tied to attacks in Japan and Poland as well.
Since they steal money, rather than conduct espionage or pursue some other military objective, Martin says they’re likely a criminal outfit, as opposed to state-sponsored. But state-backed hackers have also been known to target cryptocurrency exchanges—according to a new UN report, North Korea has generated an estimated $2 billion using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges.
In terms of their capabilities, there’s no sharp distinction between state-sponsored hackers and today’s most sophisticated criminal groups, says Martin. Either way, attacks like this show that cryptocurrency companies must be prepared to fend off highly skilled attackers who may exploit previously unknown vulnerabilities, he says: “As this space continues to grow and develop and gain traction, it’s also going to gain traction with more and more sophisticated attackers.”