When more than a dozen Coinbase employees got an email in May from an administrator at the University of Cambridge in the UK, nothing about the message raised any red flags. Someone named Gregory Harris, who said he was a “research grants administrator” at the university, told the recipients he needed their help judging contestants for an economics prize.
Some of the employees exchanged additional emails with this account during the next two weeks; still nothing amiss. Little did they know that this was all part of a devious scheme.Sign up for the Chain Letter — blockchains, cryptocurrencies, and why they matter
Whoever was really behind this account was playing a long game, aiming to gain access to Coinbase’s back-end network and steal some of the billions of dollars’ worth of cryptocurrency the company stores on behalf of its users. On June 17, the attacker sent another email. This time it contained a URL that, if opened in the Firefox browser, would install malware that could take over the user’s computer. According to Coinbase’s security team, it was part of a “sophisticated, highly targeted” attack.
Newly published details provide a rare look at the anatomy of an attack on a cryptocurrency exchange. The Coinbase team managed to detect and block the attack before any funds were stolen, but in the process the defenders discovered they were up against an extremely adept foe.
What was unique about the attack, says Philip Martin, the company’s chief information security officer, was its sheer cost and the unusually high level of effort behind it. “It really underscores for me how seriously the attackers are taking the [cryptocurrency] space,” he says.
These were sophisticated professionals operating on a big budget, says Martin. That’s evident in that they exploited two separate previously unknown bugs—also known as “zero-day” vulnerabilities—in Mozilla’s Firefox browser. It’s not known if the attackers in this case discover...