Hackers target Coinbase, Binance staff with phishing clones of Gmail, iCloud

Cybersecurity researchers have identified a new phishing toolkit dubbed CryptoChameleon, which targets employees of Coinbase, Binance, Gemini, and Kraken.

A phishing campaign employing a new toolkit dubbed CryptoChameleon has emerged, targeting Federal Communications Commission (FCC) employees as well as staff of crypto companies like Coinbase, Binance, Gemini, Kraken, ShakePay, and Trezor.

As reported by analysts at cybersecurity firm Lookout, the attackers craft convincing single sign-on pages for Okta, a cloud service provider for authentication, resembling authentic ones. The multi-stage social engineering attack also involves emails, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from victims, mostly located in the U.S., the firm says.

“This phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents automated analysis tools from crawling and identifying the phishing site.”

Lookout

The phishing kit uses real-time interaction with victims, allowing customization of pages to include phone number digits, enhancing legitimacy. Analysis by Lookout revealed over 100 successful phishing attempts and ongoing phishing activity, primarily hosted on servers by Hostwinds, Hostinger, and Russia-based RetnNet.

At the time of writing, neither Coinbase nor Binance, Kraken, or Gemini has released public statements regarding the matter. It also remains unclear whether the hackers have gained unauthorized access to private data.

In January, analysts at the blockchain security firm SlowMist disclosed that more than 80% of comments on publications of prominent projects on X were related to phishing software. According to the firm, scammers have been actively acquiring X accounts for fraudulent activities on Telegram, a popular cloud messaging platform, mainly targeting well-known crypto projects.