I’d love to know how Coinbase discovered the exploit — whether on the employee desktops, due to unusual activity by the employee account on internal Coinbase systems, at the company network level, by a human or robot, etc.
Thank you! Great that they shared the IOCs and IPs associated with the attack. That thread doesn’t really describe how they discovered it though, right?
