QI Quadriga Initiative

Apr 2021 - Celsius Network Phishing Attack - $Unknown (United States)

"Celsius Network is a cryptocurrency loan company." "Celsius was founded in 2017 with the mission to harness blockchain technology to provide unprecedented financial freedom, economic opportunity, and income equality for the 99%." "Celsius Network Limited was incorporated on 9 February 2018."

"Celsius is proud to provide a platform of curated services that have been abandoned by big banks – things like fair interest, zero fees, and lightning quick transactions. Our goal is to disrupt the financial industry, one happy user at a time, and introduce financial freedom through crypto."

"Celsius is not a bank, depository institution, custodian or fiduciary and the assets in your Celsius account are not insured by any private or governmental insurance plan (including FDIC or SIPC), nor are they covered by any compensation scheme (including FSCS)."

"On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform. We also became aware of some Celsius customers receiving SMS and email messages, that claimed to be official Celsius communication, linking to that website, and prompting recipients to enter sensitive information."

"By now, Celsius customers had also received SMS on their phones along with emails, posing as Celsius. All fraudulent communication from the hackers was concluded by a link to the spoofed website, where a contact form snatched sensitive information of the users who fell for the trick."

"Celsius CEO Alex Mashinsky stated that Celsius' third-party marketing server was compromised, and threat actors gained access to a partial Celsius customer list." "An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers."

"The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address."

"After gaining access to the customer list, the threat actors impersonated Celsius Networks in phishing texts and emails that promoted a new Celsius Web Wallet. As an incentive to get people to visit the site, the text states Celsius is offering $500 in the CEL cryptocurrency if they create a wallet and enter a special promo code."

"Hey Celsians! Have you heard the news?! We're thrilled to share that the Celsius Web Wallet is officially live! Celsius is surpassing milestones faster than you can say 'Satoshi Nakomoto' - and it's all thanks to YOU! To celebrate the launch of our new web wallet, we're giving away $500 in CEL with the promo code WEBWALLET500 for a limited time only!"

"How to receive $500 CEL: (1) Create your Celsius Web Wallet by following the steps for the wallet create process. (2) Include your promo code WEBWALLET500 to claim $500 in CEL after completing registration. (3) Follow the step-by-step tutorial on how the Celsius Web Wallet works." "Tune in to our AMA tomorrow with Alex for a more detailed update on the milestone and a preview of other exciting news on the horizon."

"When you attempted to create this fake wallet, the site asked visitors to link their other online wallets and input those wallet's seed phrases. Once this seed phrase is provided, the threat actors can import your wallet and steal any cryptocurrency within it." "VirusTotal shows that the celsiuswallet[.]network phishing domain initially had a DNS SOA record that indicated it was registered at the Njalla registrar." "Njalla is a registrar located in Sweden that is a favorite for certain threat actors, such as the Fancy Bear and Cozy Bear Russian hacking groups."

"I’ll start with the most important news: all funds are safe. Our back-end systems remain fully secure and have not been breached. Customer funds and sensitive data are not affected nor connected to any front-facing or external communications platforms."

“I would like to reassure our community that Celsius remains fully secure and our own systems have not been breached in any way. Customer funds and sensitive data are safe within our back-end systems, and our security team has done an incredible job to identify the situation and very quickly notify the Celsius community with extreme urgency on the steps and precautions to be followed. This rapid response has helped minimize the impact to the Celsius community.”

"Our team is actively working to understand how the unauthorized party managed to gain access to the third-party email distribution system and the source of the list used to send fraudulent communications via SMS." "The team is still investigating how the hackers gained access to the phone numbers of Celsius’ clients, considering the security breach occurred with an email management system."

"We are checking with all of our third-party vendors and within other recent external/public data leaks to understand where this information came from and if third-party platforms have been vulnerable to any related incidents. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources."

"It reinforces the importance of the message we have consistently delivered to our community members over the years. That is, all crypto assets delivered to Celsius remain completely secure, but with respect to any private wallets, always keep your private keys and passwords private and secure. Furthermore, we have always communicated to our customers and will continue to reinforce that Celsius will never ask for passwords, private keys, seed phrases and other confidential user credentials."

"In response to recent events, some members of the Celsius community had the inspiring idea to start a compensation fund to assist those who may have lost their crypto assets. We’re happy to share that we have set up the Celsians Care Fund under the following addresses to accept contributions."

"Despite the incident, the price of CEL is up nearly 1% in the past 24 hours and has gained 50% in the past fortnight. Cel last changed hands for $7.03, according to CoinGecko."

"If you want to help the @CelsiusNetwork community victims of the scam to give their Metamask & Ledger seed phrase we published BTC & ETH addresses in this update. Celsius will match all contributed funds to make sure we help the ones who need most help."

Further Analysis

Celsius Network is a cryptocurrency lending platform, where you can deposit your cryptocurrency and take out a loan against it. According to reports, a third party database containing 20,000 - 30,000 emails out of 100,000 total emails in their system was compromised. Users reported receiving both emails and texts announcing a $500 bonus for setting up an account with a new wallet software provided by Celsius. Several users reported that their funds were taken after setting up the wallet which required importing their private key. While the total lost has not been reported, a total of just over $9,000 worth of cryptocurrency was donated to affected users through the community and assuming Celsius followed through on their matching pledge.

How Could This Have Been Prevented?

When setting up a new wallet, always check to make sure you are using the official trusted website. Get the URL from multiple trusted third parties and only use the official URL in your sign-up. Never set up a wallet with a large balance in it, or import a wallet with a large balance into new software. Instead, perform a test with a smaller wallet before any transfer or upgrade. Store the majority of funds offline in cold storage, preferably protected by a multi-signature wallet. We propose that new crypto users should be given a short quiz to educate them prior to investing. Part of our framework has an industry insurance fund which could be available to help phishing victims.

More Cryptocurrency Exchange Hacks/Scams/Frauds

SexyAPY Rug Pull > > < < PancakeSwap Cake Minted

Sources/Further Reading

CoinMarketCap: No Breach Despite 3.1M Email Address Leak (Jan 25)
3 Million CoinMarketCap Email Addresses Have Leaked - Crypto Briefing (Jan 26)
https://blog.celsius.network/celsius-security-notice-april-2021-154a587f7ca3 (Jan 30)
@CelsiusNetwork Twitter (Jan 30)
@CelSecurity Twitter (Jan 30)
Celsians Care Fund & Loans Q&A - Celsius AMA (April 16th 2021) - YouTube (Jan 30)
@Mashinsky Twitter (Jan 30)
@CelsiusNetwork Twitter (Jan 30)
@CelsiusNetwork Twitter (Jan 30)
Celsius email system breach leads to phishing attack on customers (Jan 30)
@UID_ Twitter (Jan 30)
https://cyberintelmag.com/attacks-data-breaches/celsius-network-confirms-email-system-breach-phishing-attacks-on-customers/ (Jan 30)
Celsius Network | Earn Crypto, Borrow Cash and Unbank Yourself (Jan 30)
Is Celsius Network Safe To Put Your Money (Updated Dec'21 on BadgerDAO) (Jan 30)
Celsius Data Breach – Phishing Claims More Victims (Jan 30)
From The Ceo An Update On Celsius Security (Jan 30)
Address: 1KBdR5jQ9unrGxevHnFdFwphpu1nS7AD6E | Blockchain Explorer (Jan 30)
https://etherscan.io/address/0x7DBe022DcDef584E68bb5D75EfBac4BD3f4a53b7 (Jan 30)
Celsius Email System Suffers Security Breach (Jan 30)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
https://etherscan.io/address/0x54BD1BaeB7b860119253f5bB56250F8aFb2a22c4#tokentxns (Jan 30)
https://coinmarketcap.com/currencies/celsius/historical-data/ (Jan 30)
Celsius Network - Wikipedia (Jan 30)
Email server breach sees Celsians targeted by phishing attacks (Jan 30)
About Us | Unbank Yourself (Jan 30)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 92.1%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.