News Security

Coinbase Employees Targeted in Mozilla Firefox Zero-Day Attacks

Pinterest LinkedIn Tumblr

As Coinbase is the most popular cryptocurrency exchange in the U.S., it’d be the delight of hackers across the world to penetrate its infrastructure. One such attacker or group of attackers tried to do exactly that this week, using not one but two critical zero-day vulnerabilities affecting Mozilla’s popular Firefox web browser.

Coinbase security expert Philip Martin confirmed as much on Wednesday, describing in a post-mortem Twitter thread how the malicious agent used a reported and initially unreported zero-day vulnerability in an attempt to “target Coinbase employees.”


Mozilla had formally addressed the vulnerabilities by June 18th. Google Project Zero security researcher Samuel Groß reportedly discovered the initial bug as early as April 2019.

Moving forward, the aforementioned Martin said the Coinbase security team is currently analyzing the attacker’s infrastructure and methodologies in an attempt to more clearly understand what happened and — better yet — who might be responsible.

Martin added that Coinbase had reached out and was working with other unspecified cryptocurrency organizations that the exchange thought were targeted in the nefarious campaign. He noted no customers appeared to have been affected by the incident and said Coinbase was willing to collaborate with other stakeholders.

Luckily for everyone involved, the episode didn’t take a turn for the catastrophic, i.e. Coinbase employee accounts being commandeered to steal cryptocurrency or users’ data. But the attempted attack serves as yet another reminder that cryptocurrency exchange employees are being increasingly targeted by hackers, for they hold the keys — pun intended — to their kindgoms.

Malware Found on Coincheck Employee Computers

Whoever the Coinbase attacker was, they failed to penetrate the exchange’s infrastructure. However, not every platform has been so lucky in recent years — consider Japanese cryptocurrency exchange Coincheck, for example.

Moreover, experts now think they might know how the January 2018 Coincheck hack occurred.

New evidence suggests the hack — which has proved to be the largest in the cryptoeconomy to date — may have been conducted via Russian malware placed on employee computers.

That’s per new reporting out this week that revealed how the viruses of Netwire and Mokes, both of which originate from Russia’s nook of cyberspace, have been discovered on the computers of Coincheck employees.

It’s still not clear who was using the viruses, but cybersecurity experts have said the presence of Netwire and Mokes suggests the culprits may have been Russian, or in the very least, Eastern Europeans with familiarity with Russian tools.

Of course, it’s entirely possible the Coincheck hackers weren’t Russians at all. The usage of Netwire and Mokes may have been a shrewd feint by whoever was responsible. Ever since the attack took place, speculation has swirled that the North Korean hacker team Lazarus Group was involved. In any case, Lazarus Group’s specialized “Bluenoroff” team presumably has the requisite skills and tools to have compromised Coincheck.

The January 2018 hack was massive, though it only affected the exchange’s NEM (XEM) hot wallet. The attacker was able to make off with 520 million XEM, which were then worth $530 million USD.

Exchanges Have to Be on Their Toes

“How did the hackers know our risk management rules so precisely,” Binance chief operating officer Changpeng Zhao wrote in a security recap after Binance was hacked out of 7,000 bitcoin this spring. “Do we have a mole?”

It’s unclear if Zhao and his colleagues ever got to the bottom of those questions with any confidence, but even that they were posed shows how ripe and difficult to deal with employee attack vectors are.

Binance has since optimized its security practices that much further, but the fact remains: attackers will continue to probe it and other major exchanges for any possible weak spots.

Important Note: There have been reports of scammers approaching companies via Telegram, LinkedIn and Other Social platforms purporting to represent Blockonomi and offer advertising offers. We will never approach anyone directly. Please always make contact with us via our contact page here.


William M. Peaster is a professional writer and editor who specializes in the Ethereum, Dai, and Bitcoin beats in the cryptoeconomy. He's appeared in Blockonomi, Binance Academy, Bitsonline, and more. He enjoys tracking smart contracts, DAOs, dApps, and the Lightning Network. He's learning Solidity, too! Contact him on Telegram at @wmpeaster

Write A Comment

1inch Exchange
As Featured In
As Featured In