Teenage hackers strike again! This time, they bribed working stiffs in India for customer data from Coinbase, which they used to scam customers of an as-yet-unknown amount of money. Although Coinbase and its executives have been vociferous about the exploit, they have been cagey about the details. What is known is that Coinbase lost in the neighborhood of 400 million, presumably compensating affected customers.
The story brings together bribery and extortion, impersonation and social engineering, connecting Coinbase to a staffing company in Texas and a customer service center in India. Let’s dive in!
A Breach on the Eve of Glory
On May 15th, Coinbase disclosed a data breach that affected 69,461 customers. If that weren’t embarrassing enough, Coinbase was obliged to publicly disclose the hack just days before Coinbase became the first crypto-native company to join the benchmark S&P 500 Index.
On May 15, Coinbase announced via a blog post and a regulatory filing with the U.S. Securities and Exchange Commission (SEC) that cybercriminals had gained access to sensitive customer data by bribing its overseas customer support contractors. The English-speaking teenage hackers offered cash to outsourced contractors in India to leak sensitive user data.
User passwords and private keys remained safe, but the names, addresses, masked bank account information, government-issued ID images, email addresses, and the last four digits of everybody’s Social Security numbers, not so much. The mischievous teenagers then used this data to trick Conbase customers into handing over their cryptocurrency.
The hack appears to have begun as early as December 2024, but it wasn’t until May 11th that Coinbase received an email demanding a $20 million ransom in exchange for the cybercriminals deleting the sensitive information.
Coinbase refused to pay the ransom and promised to cover any losses that customers sustained due to the hack. Coinbase also flipped the script on the hackers by offering a $20 million reward to anyone with information that could lead to their arrest.
In an SEC filing, Coinbase estimated it would cost somewhere between $180 and $400 million to reimburse customers.
Social Engineering: Hackers Walk Through the Front Door
Crypto whales and crypto exchanges are surprisingly easy to separate from their crypto assets. In late April, news broke of a bizarre abduction of a teenage hacker’s parents in Connecticut, after the boy stole $243 million in Bitcoin from a longtime investor.
While most security breaches expose vulnerabilities on the back-end, the Coinbase hackers walked right through the front door. Bribing Coinbase’s outsourced staff was easier than one would think, given that these employees earn between $500-700 a month.
Texas-based TaskUs contracted staff in Indore, India to handle Coinbase customer service. In March, TaskUs laid off approximately 200 people. Two months later, the chief security officer of Coinbase assured customers that the venal staff had been fired, and Coinbase would be pressing criminal charges. The U.S. Department of Justice is investigating the hack, and Coinbase says it is fully cooperating.
Bad timing, minimum impact?
The Coinbase hack comes on the heels of the company’s debut on the S&P 500 on May 19th as the first crypto-native company, replacing Discover.
According to the CEO Bryan Armstrong, the news means that “crypto is here to stay. It’s going to be in everyone’s 401K, everyone’s going to have crypto exposure… It’s also a symbol that crypto is updating the financial system.”
On May 15th, after news of the data breach, Coinbase Global Inc. (NASDAQ: COIN) stock price suffered a 7% dip. But the dip was short-lived, and the stock surged nearly 24% to $256.90 per share on May 19th, after Coinbase went public. At the time of writing, it’s hovering around $248.5 (TradingView), and remains up over 25% on the month.
Armstrong emphasized that the company’s “long-term goal is we want to be the largest financial service app in the world,” adding “Crypto is eating financial services, and we’re gonna be the leader in crypto.”
Armstrong strikes a confident tone, and the crypto crowd is feeling very bullish about their prospects with the Trump administration. Crypto’s entrance into the world of TradFi would ideally coincide with fewer of these monumental security breaches and corresponding monumental losses for investors. On the contrary, this hack suggests that the road could be bumpier than expected.
The relative strength of Coinbase’s stock price suggests that the recent setback from the hack may be a minor hiccup, though it may cause a bit more agita for institutional investors.
The Usual Suspects: Centralized Exchanges Under Fire
Given the vast amounts of digital assets held by centralized exchanges, they remain prime targets for cyberattacks, and Coinbase is far from the only exchange to be targeted. Security breaches have long plagued the crypto industry, with attackers exploiting everything from smart contract flaws to weak internal controls.
Over the past decade, major crypto exchanges have suffered devastating breaches, including the Mt. Gox hack in 2014 when 850,000 BTC—worth about $450 million at the time—were stolen, as well as the 2016 Bitfinex attack, where 120,000 BTC—valued then at roughly $72 million—were siphoned via a vulnerability in its BitGo integration.
CoinCheck lost $530 million in NEM tokens in 2018, leading to stricter regulations in Japan. KuCoin suffered a $280 million breach in 2020, though much of it was later recovered.
These incidents, along with the $325 million hack of the Wormhole, which Disruption Banking wrote about here, underscore persistent vulnerabilities in the crypto ecosystem and provide context to the magnitude of Coinbase’s $400 million loss. It’s not small; it’s substantial.
And the compensation for investors can drag on indefinitely, as has been the case with Mt. Gox, whose depositors have waited a decade to be made whole.
Could Coinbase Have Prevented This? ZachXBT Thinks So
It’s a headscratcher that a company spending up to $8 million on cybersecurity every month could be the victim of such an attack.
ZachXBT, a blockchain investigator, could have the answer to that question. Back in February, he wrote a thread on X drawing attention to the fact Coinbase users have lost $300+ million per year from social engineering scams.
He noted that other centralized exchanges like Kraken and Binance don’t have the same problems as Coinbase, and urged Coinbase to take stricter security measures to protect clients. He also wrote that Coinbase could “initiate legal action against multiple US-based threat actors running these scams to make an example out of them.”
Armstrong’s Bounty and Bold Claims
Taking a page from the Kraken playbook, Coinbase refused to be extorted and went on the offensive, publicly offering a $20 million bounty for information about the hackers.
The company assured customers that “No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.”
Bryan Armstrong took to X on May 15th to declare, “Anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice.”
The hack might be a little bump in the road for Coinbase, currently valued at $67 billion, but it should be a flashing red light for Coinbase’s customers.
It’s unclear what, if any, lingering effects Coinbase may experience in consequence. Hackers could sell customer information on the dark web, or use it themselves to socially engineer Coinbase’s clients into giving up their assets, digital or otherwise.
It also exposes the weak links in the chain of security and illustrates the relative ease with which determined hackers can compromise the most heavily regulated firms in crypto. Industry players should take a minute to contemplate why comparably few TradFi institutions have these sorts of costly snafus.
Author: Laird Dilorenzo
#Crypto #Blockchain #DigitalAssets #Cybersecurity #DataBreach #Coinbase
Laird Dilorenzo is a hatchet thrower and wordsmith.
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is definitely not financial advice.
See Also:
Why did Coinbase join the S&P 500? | Disruption Banking
George Osborne Joins Coinbase Global Advisory Council | Disruption Banking
Is the Lazarus Group Behind the $1.5 Billion Bybit Crypto Heist? | Disruption Banking
3 Responses
They denied all my withdrawal request, and gave me all sort of filthy request. It was a really hard time for me because that was all I had and they tricked me into investing the money with a guarantee that I will make profit from the investment. They took all my money and I did not hear from them anymore. I was in a terrible position, thankfully I was able to recover my money back. All thanks to my friend Kane who introduced me to RECOVERY DAREK I am really grateful to him. I contacted them on recoverydarek {@} gmail {.} com and it took them just 24 hours to help me recover all my money.
Hi – I’m just looking for the best way to get in touch with the writer of this articlem if possible. Laird di Lorenzo. I saw in your info page that you don’t accept emails from gmail accounts. Unfortunately, I only have a gmail account, but I wanted to ask your opinion about something, just to see if there’s a way you would be interested to take a look at it. AtticusTrade.com – a new day trading platform for Bitcoin that my husband is getting ready to launch. He’s in a tech accelorator course at the moment and the organizers like it a lot. He’s at the point now where he needs to get some real world feedback, and get day traders to try it (there’s a risk free demo on the page). It’s designed with web3 in mind and eliminates a lot of the issues that exist on current day trading platforms. It’s going to be a disruptor in the way that Robinhood was a disruptor a few years ago. If this is anything you have any interest in talking to him about please let me know. He’s making a lot of progress and I think it’s going to be a real game changer! Thanks a million. Please do check it out!
I fell victim to a crypto scam and lost a significant amount of money. What are the most effective strategies to recover my funds? I’ve heard about legal actions, contacting authorities, and hiring recovery experts, but I’m not sure where to start. Can you provide some guidance on the best ways to recover money lost in a crypto scam? Well if this is you, darekrecoverys@gmail.com gat you covered get in touch and thank me later.