Published on

What Exchanges are Targets?

Authors
  • avatar
    Name
    n0 Sec
    Twitter

Introduction

Fraudsters who conduct SIM swaps are constantly looking to take advantage of security shortcomings in both customers and cryptocurrency exchanges. While nearly all cryptocurrency exchanges are vulnerable to SIM swaps, some are especially advantageous to target. The most commonly targeted exchange that I witnessed while analyzing blackhat marketplaces and groupchats is Coinbase. CoinMarketCap, a website that tracks data regarding cryptocurrencies, ranks Coinbase Exchange as the 8th most visited cryptocurrency exchange globally as of May 2022, making it popular enough to have plenty of targets. Coinbase has decent protection against SIM swaps that’s still improving, but they’re still a very popular target for cryptocurrency thieves and extremely vulnerable. This is not solely Coinbase's fault however - it is the responsibility of the customer to take proper steps to attempt to secure themselves from SIM swaps. This includes actively checking their phone/e-mail, using unique and long passwords for their e-mail and exchange accounts, amongst implementing a fraud lock onto their mobile carrier account to make it one step harder for fraudsters to conduct a SIM swap.

Coinbase only recently became the most targeted cryptocurrency exchange due to an exploit discovered in Coinbase. Coinbase had an endpoint in their application programming interface (API) that allowed for the balance to be checked on any account, given that the fraudster has their e-mail and password. This vulnerability allowed the fraudsters to see their balance despite any 2FA settings enabled on the account. This let fraudsters know who were viable targets with balance sitting in their account, opposed to blindly targeting cryptocurrency exchange accounts hoping that the victim has account balance. This exploit was popular for months and was patched in December 2021 after Coinbase realized the severity of the exploit, this exploit has been decently well covered, such as on a Darknet Diaries episode where a person who previously conducted SIM swaps discusses the logistics of the balance checker. This vulnerability being patched resulted in panic amongst the community as the fraudsters realized finding targets to SIM swap would become harder and riskier, as they no longer had eyes on target’s balance. To this date, fraudsters still try to SIM swap targets whose balance was checked on the balance checker when it was still working, essentially targeting leftover potential victims. However, progressively, these targets have diminished, and SIM swappers have had to expand their options on how to find targets.

Coinbase Ranking
Coinbase Balance Check

How People SIM Swap Coinbase Accounts Now

Coinbase accounts, while the balance can no longer be precisely checked, is still commonly targeted by fraudsters. Coinbase has not only restricted the ability to check balance of users, but also increased their security to prevent unauthorized withdrawals that are related to on-chain transactions. On-chain transactions are transactions that take currency off the Coinbase ecosystem and put onto the live blockchain, which is where fraudsters gain unlimited freedom with the stolen cryptocurrency. It is first important to understand how fraudsters choose which cryptocurrency accounts to target.

Fraudsters can estimate Coinbase accounts balance if the victim shares the same password across their Coinbase and their email. These targets are referred to by fraudsters as full access (FA), meaning the fraudster has access to the target email with no 2FA restriction. The fraudsters check if the victims share their Coinbase password with their email password using a tool called Cashbase. Cashbase has indicators regarding the balance using Coinbase’s emails to victims. Coinbase gives account holders the option to disable their account for a period of time, to help prevent holders not being able to interrupt their account being compromised, and the text related to the disable link indicates the balance in the account. If Coinbase offers a non-time bound disable feature, it indicates the balance is at minimum $100, while if Coinbase offers a 24-hour disable feature, it indicates the balance is at least $50,000, and clients with over $250,000 in their account have the ability to disable their account for 48-hours. This gives fraudsters an idea of which targets are viable and worth targeting, obviously a target with a 24 to 48 hour hold option is advantageous as its clear that the target has high balance anywhere upwards of $50,000 dollars.

24 hour disable

Cashbase Website
Cashbase Interface

Once the fraudster has found viable targets, whether through Cashbase or a result from the old precise balance checker, the fraudster must find someone to SIM swap the target’s phone line. This is normally the easy part of the process; a fraudster just needs to find a swap service on the market. As of this article’s publication in May 2022, I have observed people offering AT&T and T-Mobile swap services legitimately on blackhat market daily, sometimes for just a 50% split of the victim’s account balance when the victim has been compromised by the fraudster. However, the fraudster must be prepared and in communications with the SIM swapper actively to conduct the SIM swap. This is because of Coinbase’s 48-hour account lock referred to as the ‘1440’ error amongst fraudsters – where Coinbase detects that a target has been SIM swapped and locks the customer’s account, as shown in the below image.

1440
Cashbase Estimated Balance

To bypass the 1440 error, the approach fraudsters take is very simple. The fraudster logins into the account moments before the SIM swap, resulting in Coinbase not detecting the SIM swap. The code will still send to the new phone that the service of the victim has been put onto. This however can be risky, sometimes the SIM swapper and the fraudster accessing the Coinbase account aren’t synchronized, so the fraudster misses their chance. The tactic utilized here is ‘porting’ – which bypasses the 1440’s detection radar. This can be done with SIM swapping tools, many people compromising T-Mobile targets SIM swap the line and then port it to T-Mobile’s “Prepaid” system, which is identical to T-Mobile’s main system, but there is a distinction in the 1440 detection amongst Coinbase’s system. For other carriers, people tend to port out to a more vulnerable provider such as Boost Mobile currently.

Atlas

After conducting the SIM swap, logging in, and then providing the SMS 2FA token, Coinbase will ask the user to authorize the login via email due to the login being from a new device. The fraudster will need to then reset the password to the customer’s email, and this can be a multivariable equation alone. Gmail accounts are the hardest to compromise as they tend to have ‘push confirmation’, a form of verification that cannot be SIM swapped for, it is local to the owner’s phone. Yahoo has a similar option, but Gmail automatically puts this form of verification on the customer’s account. Yahoo’s reset flow is far more susceptible to SIM swaps and thereby is more targeted by fraudsters. Additionally, Yahoo is one of the few email providers compatible with Cashbase, as it is nearly impossible to login to a Gmail without being prompted for additional verification thereby the owners of Cashbase don’t bother implementing Gmail into the array of supported emails. If the email password reset went well, the fraudster will then be tasked with securing the email from the account owner. This normally involves changing the password, implementing Google Authenticator, and changing the phone number on file so the owner cannot access their account even when phone service is returned to the victim.

Google Push Example

When the fraudster is logged into the account entirely, the process becomes simple. The fraudster converts the victim’s cryptocurrency holdings to an individual coin, transfers them to Coinbase Pro edition, and then sets up an API key for the account. This API key will allow withdrawals using automated software. The fraudster will use a withdrawal bot to withdrawal the account’s balance in $99 segments to prevent Coinbase from blocking withdrawals. For large target, this can involve thousands of withdrawals, but due to the API key and automation of the process, this typically takes less than 5 minutes. The entire process once the Coinbase account is compromised becomes quick to experienced fraudsters. The code behind the withdrawal bot itself is only a few lines of Python and is fairly intuitive to use for the fraudsters, as it uses Coinbase Pro’s API directly. The limit for Coinbase Pro on most accounts is $250,000, which is normally far more than what victims have in their account regardless.

Ironically, while writing this article, on May 13th Coinbase has potentially patched the withdrawal script being popularly utilized by fraudsters. Coinbase allows the user to withdrawal, however the on-chain transaction is delayed for review by Coinbase, frequently resulting in the victim being able to buy time before they permanently lose their currency. Buying time allows the victim to work with Coinbase to lock the account and prevent any on-chain withdrawals from happening. There are other methods to withdrawal Coinbase, however they require the fraudster to obtain a false ID of their victim to provide to Coinbase. Due to how recent the patching of the withdrawal bot was, the tactics used by fraudsters to withdrawal right now aren’t completely clear.

Withdrawal bot

Aside from just stealing the money in an account’s balance, some fraudsters add more money to the victim’s account balance to take it from them. This is done via ‘Coinbase loading’, where fraudsters connect stolen debit cards to Coinbase accounts and purchase large sums of cryptocurrency within the account’s limits. Coinbase will allow long-time customers to spend up to $7,500 via debit card per monthly on Coinbase to instantly buy cryptocurrency. This amount is limited to prevent Coinbase loading from becoming too damaging to Coinbase. The fraudsters will purchase a compromised bank account and use the stolen card information on a compromised account with high limits to get a few extra thousand dollars out of the account, which they can then use the withdrawal bot on again. The most common method for loading Coinbase is using compromised Wells Fargo accounts, typically obtained via phishing campaigns, then connecting the debit account to Apple Pay. Apple Pay will require that the account owner verifies their identity, typically through SMS or email verification, which the fraudster will do via compromising the e-mail or SIM swapping the victim’s phone line. This is typically a different victim than the subject of the original SIM swap. A Wells Fargo account with about $7,500 normally cost fraudsters less than $500, making loading the account a profitable endeavor. The only other associated fee would be the cost to conduct a SIM swap on the bank account owner. Once the debit card is connected to Apple Pay (which was contingent upon the fraudster verifying their identity as the owner of bank account), the fraudster then uses the Coinbase app to purchase chunks of $500 to $1,000 portions of cryptocurrency until the $7,500 limit is exhausted. This process is often outsourced to someone else to make it easier for the fraudster, as some fraudsters collect high balance bank account information just to load accounts at a 50/50 rate with whoever brings the Coinbase account with high limits. People who load Coinbase accounts are always looking for people with high Coinbase limits – meaning it’s much easier to find someone providing Coinbase loading than to find an account that is loadable. You may notice that in your own Coinbase account your account allows for large bank transfers, up to hundreds of dollars sometimes, and wonder why fraudsters don’t take advantage of this instead. This is because bank transfers take days in most circumstances, and the victim of the transfer can dispute the transaction before its finalized, and even if they do not, the compromised Coinbase account in most situations is returned by Coinbase to the victim days before the bank transfer is complete.

Loading Limits on Coinbase
Wells Fargo Transaction
Citi Bank with Balance

Uphold

Uphold through the month of April and May became a popularly targeted cryptocurrency exchange amongst fraudsters. Uphold had the same balance checking vulnerability that Coinbase had; fraudsters were able to see any customer’s balance given they had the correct combination of e-mail and password, regardless of the customer’s 2FA settings. Fraudsters began cracking massive amounts of Uphold accounts and targeting accounts with high balance. Uphold is a much easier option than Coinbase, it requires no withdrawal bot, there is no 1440 error, and targets are easy to find. Additionally, the cracking configuration spread rapidly throughout the community likely resulting in too many people simultaneously trying to take advantage of Uphold’s vulnerability. This was the first balance checker to touch the blackhat community since the Coinbase balance check, so fraudsters were more than enthusiastic to try to get their hands on it. All it requires to run a cracking configuration such as Uphold’s is HTTP residential proxies and combolist, which you can learn more about in this post and this post.

Uphold Config
Uphold Logged In

The process for withdrawing the currency of an Uphold account was fairly straightforward until recently, where Uphold introduced frequent withdrawal reviews. Before the security changes implemented by Uphold, the fraudster would SIM swap the victim’s line, log into the account, provide the SMS 2FA token, then compromise the email to confirm the login from a new device. The fraudster could then secure the email for the duration of the attack and could move on to cashing out the cryptocurrency in the account. To do so, the fraudster must put an authenticator onto the account, as it’s a requirement by Uphold to have authenticator app connected to the account to conduct on-chain transactions. Opposed to installing an app on their phone, fraudsters typically used online authenticators and repositories of Google Auth such as this. This made the process extremely easy and quick for vulnerable targets, it didn’t require any sort of specialized withdrawal script or procedure that only the more experienced SIM swappers have their hands on.

Uphold Withdrawal Review

Currently, rumors are circulating the blackhat community that Uphold accounts are still vulnerable to SIM swaps if the fraudster is willing to withdrawal in $75 segments, like Coinbase. However, I have not found evidence to confirm this claim.

Cointracker

Right now, fraudsters are in a stage of experimentation. The procedural process of balance checking Coinbases, knowing who to target, and then executing a SIM swap on a target is becoming increasingly difficult. Fraudsters are trying to find cryptocurrency targets that they have visibility on their balance, but the methods are reducing. There are websites that track user’s different balances amongst different cryptocurrency exchanges, such as Cointracker, which fraudsters will focus on to try to gain visibility on their target. However, frequently these sites required heightened authentication as they are aware of the massive security problem that results from allowing users to see a victim’s account balance, even if they don’t have access to withdrawal the victim’s balance. Additionally, people are utilizing programs to estimate balance by searching compromised email accounts.

“DB Targets”

Right now, due to the lack of stability, fraudsters are tending not to target a certain cryptocurrency exchange but rather users who are very likely to have cryptocurrency. Fraudsters are purchasing large databases of sites that were user’s information were leaked, typically related to cryptocurrency. For instance, cryptocurrency cold wallet company Ledger’s database was leaked, resulting in millions of e-mails and several hundred thousand addresses and phone numbers to be leaked of customers. Fraudsters go through databases similar to these and conduct OSINT on massive amounts of targets to narrow down who could be viable, vulnerable targets. There are an overwhelming number of targets, many who won’t have balance in any online cryptocurrency exchange, so it is the role of the fraudster to try to narrow down databases to only its easiest, best targets. Of course, this raises the question, what makes a target good?

A viable database target has either a phone number or email that can be further investigated. More information on the target makes the process of targeting the customer easier, so a database that provides as much information as possible is preferrable to fraudsters. The fraudster will need the target’s phone number and name. Most fraudsters at this step will use automated bots to investigate the targets, seeing if their associated email, name, or phone number were associated with any previous data breaches. The best target’s current password is the same as previous leaked ones, fraudsters will create combolist from database targets with the associated email and passwords associated with the email in past data breaches, allowing them to try to login to the target’s email. With email access, the fraudster will be able to verify whether the target is viable for a SIM swap. The fraudster will look up cryptocurrency related search terms in the victim’s email, looking for any exchanges they may be able to breach. Additionally, fraudsters will look through the target’s email for any noted cryptocurrency seeds or images of their cryptocurrency wallet. Database targets are far less procedural than the aforementioned means of finding and targeting victims, thereby the process is different for each fraudster, however this is a fairly simple general framework. The best thing cryptocurrency investors can do is store their seed phrase on paper and ensure that any images that securely kept, actively update their passwords, use specialized emails just for cryptocurrency related business, and utilize app-based authenticators such as Google Authenticator.

Social Engineering

Social engineering is one of the commonly used methods currently to compromise cryptocurrency exchange accounts. Specifically, Coinbase accounts are targeted with social engineering attacks, especially those who are fraud locked at their carrier. Victims with fraud lock on their mobile carrier account are, in most cases, protected from SIM swaps, so if a fraudster knows a target has balance in their account but they cannot be SIM swapped, they will try to socially engineer the account owner as a Coinbase employee. The social engineer typically accepts targets from SIM swappers and accepts a percentage of the target’s balance as payment. The social engineer hosts a website that they will guide the target through when calling them. Typically, it begins with a login screen where the fraudster will gain the target’s password, and after this convince the target to enter a 2FA code to login. Simultaneously to this, the fraudster will be logging into the Coinbase and use the 2FA code that the victim enters in the phishing site. To successfully withdrawal the account balance, the fraudster will need the target to continuously click links and follow instructions that can be suspicious, hence why the success rate is so low. More advanced social engineers use phone number spoofers to further authenticate themselves as a Coinbase employee to the victim. A popular number spoofer is SpoofCard, which can act as a voice changer and a phone number spoofer simultaneously. The end goal of socially engineering the target is to enable Google Authenticator and remove the target’s phone number from the account.

Coinbase Panel

However, it is rare that a fraudster attempts to completely compromise an account like the example. More often, fraudsters target Google Authenticator targets to conduct account actions, which requires far less codes and trust from the user. Additionally, some compromised Coinbase users counter being compromised by having their account disabled through Coinbase. The fraudsters however have a counter for this counter, which involves socially engineering the target. The fraudster will walk the target through the ‘recovery flow’, which is real, however keep full access of the account opposed to letting the victim recovery it properly through Coinbase.

Conclusion

Fraudsters have a variety of techniques to target cryptocurrency users, but as of now it looks like the cryptocurrency exchanges are making progress in their attempts to limiting the severity and effectiveness of attacks. Hopefully as time progresses cryptocurrencies make further attempts to protect users and users make larger efforts to protect themselves from attacks. If you’re a cryptocurrency holder, I hope if you got anything out of this it’s: use app-based multi factor-authentication when you can, enable a fraudlock with your carrier, and use unique passwords for each service you utilize that you update periodically.