The Japanese service cryptocurrency exchange, Coincheck, announced that he fell victim hacking attack. The attackers violated one of them domain names and used it for spear-phishing attacks to customers of the service.
Coincheck has discontinued some of its services platform on Tuesday to investigate the incident. Other activities, such as withdrawals and deposits, have not been excluded.
According to one reference released on Tuesday, the company said the original attack took place on Sunday 31 May. The hackers acquired access to Coincheck's account on Oname.com (company domain registrar).
Koincheck did not provide technical details attack. However, the Japanese security researcher Masafumi Negishi said the attackers modified the basic DNS entry for Coincheck's coincheck.com domain.
Coincheck uses the service Amazon's DNS. This means that an Amazon DNS server handled the various processes.
According to Masafumi, the hackers recorded a similar domain on the AWS server and replaced the original awsdns-61.org to awsdns-061.org (extra 0 ahead of 61) in Oname.com's backend. This allowed the attackers to manage DNS queries for the Coincheck portal.
The hackers did not use this access to redirect all the traffic of the service to a "Coincheck clone", because such a attack it would be immediately apparent.
So they started sending spear-phishing emails to specific users. The emails were supposed to come from the coincheck.com domain. In fact, user responses were sent to hackers' servers.
Coincheck said she spotted the attack when she noticed some "irregularities" in traffic. The attackers had access to the company's domain until Monday, June 1, 20:52, Tokyo time.
According to Coincheck, hackers contacted at least 200 customers.
At present, we do not know if the hackers used in some way the data they obtained through spear-phishing emails.
In 2018, the exchange service was hacked and lost 500 million dollars.