US authorities have indicted two suspects for hacking cryptocurrency exchange EtherDelta in December 2017, changing the site's DNS settings, and redirecting traffic to a clone where they logged user credentials and then stole customer funds.
One of the two suspects is Elliott Gunton, also known as "Glubz," a 20-year-old from the UK, better known for participating in the TalkTalk hack.
The other is Anthony Tyler Nashatka, also known as "psycho," a resident of New York.
The two, over the course of just a week, went from buying an EtherDelta's employee phone number off the black market to stealing funds from thousands of EtherDelta users.
The hackers acquired the EtherDelta's CEO personal details
According to court documents ZDNet received from a tip, it all started on December 13, when Nashakta bought the personal details of an EtherDelta employee using Bitcoin.
The data, believed to have been acquired from underground data traders, contained the employee's phone number and email address.
While court documents only identify this employee as Z.C., this person is believed to be Zachary Coburn, the company's CEO, as only his accounts would have allowed the hacker to do what they did next.
Court documents don't say if Nashakta specifically targeted Coburn's data because he was the EtherDelta CEO, or if the hacker accidentally found it inside a larger data pool and realized who he was.
However, later that same night, recognizing the value of the details he acquired, Nashakta reached out to Gunton and made plans to hijack EtherDelta's Cloudflare and Dreamhost accounts.
Hackers call-forwarded the CEO's phone number
Things didn't get off the ground right away, but six days later, on December 19, 2017. Court documents reveal that Gunton somehow managed to convince a mobile telco's operator to add a call forwarding number to Coburn's mobile account.
This meant that any incoming calls for Coburn's phone would be silently forwarded to a Google Voice number operated by the two.
Gunton and Nashatka didn't waste any time and immediately used the call forwarding feature to silently bypass two-factor authentication (2FA) on Coburn's EtherDelta (admin) account.
A day later, on December 20, the two moved in to capitalize on their hack. They first started by modifying DNS settings in the company's G Suite portal and redirected Gmail traffic through a UK server they owned, allowing the two to intercept and hide certain emails.
The next step was to reset the password on EtherDelta's Cloudflare account, retrieve the password reset link from Coburn's intercepted emails, and access the Cloudflare account as new owners, changing the password and locking out other company employees.
The final step was to change EtherDelta's DNS records inside the Cloudflare account and add new values, effectively pointing the EtherDelta official site to a web server they operated. Here, the two hosted a clone of the original site, but one that logged users' credentials.
The DNS redirection lasted only a few hours until it was spotted and widely reported in the media.
After their plan was exposed, the two moved on to cash in on the stolen credentials. While court documents don't say how much the two made, they do reveal that one victim reported losing more than $800,000.
Gunton already sentenced in the UK
The indictment was filed on August 13, in San Francisco. Three days later, Gunton was sentenced to 20 months in prison in the UK for trading personal data online, for cryptocurrency, following his arrest in 2018. The US case is believed to have stemmed from the data found on Gunton's devices.
In the US, the two face five counts each, with maximum prison penalties of up to 20 years, up to three years of supervised released, and a fine of up to $250,000.
Ironically, in November 2018, the US Securities and Exchange Commission also charged Coburn, the EtherDelta CEO, with running an unregistered securities exchange [PDF].