Ad
Image: fotoimagen/Envato Elements
Cryptocurrency transaction platform Coinbase disclosed a ransomware attack that occurred months ago, according to a legally required US regulatory filing on May 11. The attacker demanded $20 million to cover up the attack; Coinbase did not pay the ransom.
Coinbase will reimburse customers who lost funds through the attacker’s social engineering enabled by the stolen data.
Insiders allegedly handed customer information to the threat actor
An attacker allegedly bribed Coinbase customer support agents — what Coinbase described as “a small group of insiders” from an overseas customer support pool — to collect data on a small number of customers. The attacker would then use that data to contact customers and trick them into thinking the attacker was a representative of Coinbase in order to steal customers’ cryptocurrency.
Less than 1% of Coinbase’s monthly transacting users have had their data exposed, Coinbase said. However, those users should “expect imposters,” the company warned. Coinbase reminded users that attackers might ask for passwords, two-factor authentication (2FA) codes, or request funds transfers to a “safe” wallet over the phone — actions the legitimate platform does not perform.
Driver’s licenses and passports were among the stolen data
The stolen data includes:
- Name, address, phone, and email.
- The last four digits of the Social Безопасность number.
- Masked bank‑account numbers and some bank account identifiers.
- Government‑ID images, such as a driver’s license or passport.
- Account data, including balance snapshots and transaction history.
- Limited corporate data (including documents, training material, and communications available to support agents).
Customer funds and wallets, private keys, and 2FA information were not compromised.
SEE: The UK will fold crypto assets into conventional currency laws, aligning closer to the US’s policies than the EU’s more bespoke rules.
Must-read security coverage
Coinbase notified affected users and increased investment in cybersecurity
Corporations are often advised not to pay ransoms in cases like this, as doing so can fund future cyberattacks, encouraging similar behavior. Additionally, paying the ransom does not guarantee the actor will actually return the stolen data.
In addition to reimbursing funds lost to social engineering scams enabled by the breach, Coinbase has taken the following actions:
- Notified affected users.
- Add additional ID checks for large withdrawals for affected crypto accounts.
- Add mandatory scam-awareness alerts.
- Reinforce security controls and open a new support hub in the U.S.
- Increased their investment in insider‑threat detection, automated security responses, and simulations of similar security threats.
Coinbase is working with US and international law enforcement to pursue the former employees who collaborated with the attacker. The company has offered a $20 million reward for information leading to the arrest and conviction of the primary threat actor.
Coinbase expects financial losses of $180 million to $400 million in reimbursement and remediation stemming from the attack.
Ad
SomaDerm, SomaDerm CBD, SomaDerm AWE (by New U Life).