Today, Celsius Network, a popular cryptocurrency lending platform, confirms a data breach due to a phishing attack that exposed customer information.
Celsius CEO Alex Mashinsky stated that a third-party server used for email marketing had been compromised, and threat actors managed to exfiltrate a portion of the company’s customer list and sent a phishing email to Celcius customers.
“An unauthorized party managed to gain access to a backup third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”
After stealing the customer list, hackers sent out phishing emails with a link that opened a website with Celsius branding – celsiuswallet[.]network, which is now down. The site prompted the victim to create a Celsius Web Wallet and provide their seed phrase.
“The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address,” disclosed a Celsius advisory.
The phishing emails and web pages impersonating Celsius Network promoted a non-existent Celsius Web Wallet. To lure people to the site, the threat actors made fake promises of $500 in the CEL cryptocurrency that the victim would get if they created a wallet and entered a special promo code.
The malicious website asked visitors to link their other crypto wallets which involved providing that wallet’s seed phrase. This allowed the threat actors to import the victim’s wallet and steal cryptocurrency in it.
According to VirusTotal, the celsiuswallet[.]network phishing domain was registered at the Njalla, a Swedish registrar that is a favorite of such threat actors as the Fancy Bear and Cozy Bear Russian hacking groups.