What can we learn from the latest Coinbase cyberattack?

Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.

Leveraging smishing and vishing, the attackers tried to trick Coinbase employees into sharing login credentials and installing remote desktop applications, and were only partly successful: the company’s incident response team quickly reacted to “unusual activity” alerts and, in the end, the attackers were unable to access customer information or steal funds.

How the Coinbase cyberattack unfolded

The attack started on a Sunday, February 5th, 2023, when a number of Coinbase employees received a text message saying that they needed to urgently log into the company systems via a provided link, so they could receive an important message.

Only one of the targeted employees fell for the ruse and entered their credentials into the provided phishing page. Armed with that info, the attackers tried to access company systems, but because they didn’t have the second authentication factor at hand, they were unsuccessful.

So they tried another tactic: getting the employee on the phone by impersonating Coinbase’s IT staff, convincing them to log into their workstation, and to install software that would allow the attackers to access the system without needing access credentials…