Coinbase: How we managed to stop an attack, billions of dollars in cryptocurrency survived

Coinbase, a cryptocurrency exchange, revealed that it has become a "complex, highly targeted, organized and planned attack" target, but it has stopped the attack. The goal of the attack was to invade the exchange's system, perhaps to steal the multi-billion dollar cryptocurrency it held.


In an article on Friday, Coinbase announced the technical details of the attack and how it responded to the theft. Coinbase said hackers have taken a variety of ways to trick the exchange's employees into accessing important systems—in the form of phishing attacks, social engineering, and browser zero-day attacks.

The attack began on May 30 when more than a dozen employees received an email from Gregory Harris, a research fund executive at Cambridge University. These emails are not random, but rather accurately describe the past experiences of these employees and ask them to help evaluate some projects for evaluation.

Coinbase says:

“This email does come from the University of Cambridge domain name, does not contain malicious elements, passes spam detection, and accurately identifies the recipient's background. In the next few weeks, we received a similar email. There seems to be nothing wrong with it. local."

The attacker started emailing with several Coinbase employees until "Harris" began sending malicious code on June 17. On the same day, "Harris" sent another email containing a URL that will install malware that can take over other people's computers when the URL is opened in the Firefox browser.

Coinbase said, "In a few hours, the Coinbase security department found and blocked the attack."

The article pointed out that the first stage of the attack first determined the operating system and browser on the target machine, and displayed a "difficult to identify the true and false errors" to the macOS users who did not use the Firefox browser, and prompted them to install the latest version. s application.

Once Firefox accesses the URL sent via email, the attack code will be sent from another domain registered on May 28. Coinbase said it was at this time that the attack was determined "based on an employee's report and automatic alerts."

The analysis revealed that there will be another malicious load in the second phase, in the form of an evolution of the backdoor malware Mokes targeting the Mac.

Coinbase explained that the attack used two separate Firefox zero-day vulnerabilities: "one allowed the attacker to upgrade the JavaScript permissions on the browser page (CVE-2019-11707), and the other allowed the attacker to bypass the browsing on the host. Sandbox and execution code (CVE-2019-11708)".

Coinbase marks the hacking team as CRYPTO-3 or HYDSEVEN – a method used to judge a hacker team. The team took over or created two email accounts and created a login page at Cambridge University.

Coinbase says:

"We don't know when the attacker got access to the Cambridge account, or whether the accounts were taken over or recreated. As others have pointed out, the identity associated with the email account is almost impossible to find online. Yes, and the personal information on LinkedIn is almost certainly fake."

Coinbase said that after discovering that a company had a problem with the computer, they revoked all the certificates on the computer and locked all employees' accounts.

"After we determined that we had control, we contacted the Mozilla security team and shared the attack code used in the attack. Mozilla's security team responded quickly and released CVE-2019 the next day. The -11707 patch and the CVE-2019-11708 patch were released in the same week."

Coinbase also contacted Cambridge University to report and help resolve this issue and to get more information about the attack method.

Coinbase concludes:

"The cryptocurrency industry will continue to see similar attacks with complex means. By building a defensive infrastructure, through the sharing of attack information, we will be able to protect ourselves and our customers, support the encryption economy, and build an open future financial system."