Coinbase Crypto Exchange Ensnared in Oktapus-Related Smishing Attack

Some employees personal data was leaked, but the company responded swiftly to a socially engineered incident that gained access to legitimate employee login credentials.

Threat actors targeted employees of cryptocurrency exchange
Coinbase
in a
smishing attack
that exposed a limited amount of personal employee data, after cyberattackers bypassed multifactor authentication (MFA) to gain direct access to its corporate system.
Coinbase outlined the attack — which the company believes is connected to the previously identified
Oktapus campaign
that targeted several Okta employees with malicious SMS messages — in
a recent blog post
, providing an in-depth, step-by-step account of how it unfolded, escalated, and was eventually thwarted without a major breach.
One of the employees who was targeted responded to an attackers SMS and gave up credentials to the corporate system; the person then received a follow-up phone call attempting to gain access after initial attempts to log in were blocked by MFA security. Coinbases Computer Security Incident Response Team (CSIRT) responded within 10 minutes of the attack to shut it down, preventing a far more serious incident, the company said.
The situation once again demonstrates how human error remains a key factor in the success of cyberattacks, and the risk that increasingly sophisticated social engineering campaigns pose to the enterprise, Jeff Lunglhofer, Coinbases CISO, noted in the blog post.
While situations like this are never easy to talk about, Coinbase revealed and detailed the attack in the interest of transparency, as well as to help other organizations understand the potential risks from smishing in order to protect themselves from similar incidents, he said.
They are embarrassing for the employee, they are frustrating for cybersecurity professionals, and they are frustrating for management, Lunglhofer wrote. But as a community we need to be more open about issues like this.
Coinbase is a cryptocurrency exchange with more than 1,200 employees worldwide and more than 108 million verified users, making it an attractive target for financially motivated threat actors, Lunglhofer said.
The recent attack occurred on Sunday, Feb. 5, when the mobile phones of several Coinbase employees received SMS messages indicating that they needed to urgently log in to their Coinbase accounts via a link to receive an important message, according to the post.
While most of the targeted employees ignored the message, one didnt, clicking on the link and eventually providing threat actors with their username and password. Attackers then proceeded to log in to the Coinbase system using the legitimate employee credentials, but couldnt provide the correct MFA credentials and thus was blocked from access.
While many attacks would stop here, this one didnt, most likely because the attacker is associated with a highly persistent and
sophisticated attack campaign
that has been targeting scores of companies since last year, Lunglhofer wrote. That Okta attack spree, dubbed Oktapus by the researchers at Group-IB who discovered it, resulted in the compromise of 9,931 thousand accounts of more than 130 organizations.
Twenty minutes after the initial SMS message, the phone of the compromised employee rang. On the line was the attacker, claiming to be from Coinbase corporate IT and in need of the employees help. The employee once again believed the request was legitimate and followed attacker instructions, logging in to the Coinbase system and responding to what became increasingly suspicious requests from the attacker.
The employees actions gave up some limited contact information for Coinbase employees — including names, email addresses, and some phone numbers — but did not expose any customer info or other sensitive data, nor did the attackers gain the ability to steal Coinbase crypto, the company said.
Eventually, Coinbases CSIRT intervened and reached out to the smishing victim to ask about unusual behavior and usage patterns associated with their account, and the employee terminated communication with the attacker, he wrote. CSIRT then suspended the employees account access and launched an investigation.
In this case, the cleanup after the attack was relatively quick, Lunglhofer said. However, the incident provides useful takeaways as to why sophisticated, socially engineered phishing attacks are still so successful even though theyve been occurring since the emergence of the mainstream Internet, and the fact that theres broad awareness of them.
One important point to note is that even the savviest cyber-aware person can be fooled by a clever, socially engineered attack because of humans natural tendency to want to get along and be part of the team, Lunglhofer noted. Under the right circumstances nearly anyone can be a victim, he wrote.
Indeed,
research shows
that the human factor remains one of the top reasons data breaches occur. This means that using the excuse that successful phishing scams are merely an employee training problem is a cop-out, and organizations have to put in place a proactive cyber-defense system that can act quickly in the case of employee compromise, Lunglhofer wrote.
Coinbase provided a list of the attackers tactics, techniques, and procedures (TTPs) to help enterprises prevent attacks or recognize suspicious login attempts on the corporate system. In particular, login attempts to corporate applications from third-party VPN services should be flagged as suspicious, as they may be using stolen credentials, cookies, or other session tokens, Lunglhofer observed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Coinbase Crypto Exchange Ensnared in Oktapus-Related Smishing Attack