Coinbase, the San Francisco-based cryptocurrency exchange, has explained how it discovered and then foiled an attack on its network and averted the potential loss of millions of dollars worth of cryptocurrencies.

The exchange published a blog post on Thursday, explaining how hackers used a combination of methods – including phishing and the exploitation of a zero-day vulnerability – to attempt to trick employees and circumvent security protocols.

A zero-day event is software security flaw that is known to the provider, but hasn’t yet been patched and can be – if discovered by malicious agents – exploited to gain access to the user’s systems.

How it Happened

Coinbase explained on its blog post that on May 30, more than a dozen of its employees received an email supposedly from Gregory Harris, a research grants administrator at Cambridge University. The email passed spam detection and looked authentic, having come from a genuine Cambridge domain.

Phishing email sent to Coinbase

On June 17, “Gregory Harris” sent another email – this time containing a URL that, when opened in Firefox, would install malware capable of taking over that person’s computer by exploiting a Firefox zero-day vulnerability.

Coinbase said it detected and blocked the attack within hours of the second email thanks, in part, to the discovery of the vulnerability by Samuel Gross of Google's Project Zero.

The Attacker

The attack was attempted by a group known to Coinbase as CRYPTO-3 that the exchange has been previously aware of, and is also known as HYDSEVEN. Philip Martin, who wrote the Coinbase blog, commented:

While the core vulnerability has been present in Firefox for quite a while, the way this attacker chose to trigger the vulnerability has only been possible since May 12. This indicates a very rapid discovery-to-weaponization cycle on the part of the attacker.

He added that overall, the attack felt like the work of a group that has significant experience in developing exploits.

During the first “Gregory Harris” email phase, the attackers went through a qualification process and multiple rounds of emails – ensuring they could identify a number of high-payoff targets, before directing these victims to the page containing the exploit payload.

Coinbase’s Response

The exchange said it began investigating the incident based on reports from both an employee and from automated alerts. Coinbase said:

We revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee. Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack.

Later, Coinbase reached out to Cambridge University to collect more information and learned that more than 200 individuals at several organizations were targeted by the attacks.

The exchange concluded in its blog post:

We were able to defend ourselves from this attack due to our security-first culture at Coinbase, complete deployment of our detection and response tooling, clear and well-practiced playbooks, and the ability to rapidly revoke access.