Last week’s highly organized breach of cryptocurrency exchange Coinbase (COIN) left behind more questions than answers.
While some hailed Coinbase’s response as a “really great example” in dealing with a crisis, the breach has now caused a potentially massive privacy issue that mirrors the Ledger data breach in 2021 — which led to a spate of real-world robberies as criminals were able to get a hold of names and addresses of crypto holders. Coinbase has already acknowledged that its customers may have lost close to half a billion U.S. dollars as a result of its breach.
Cybercriminals accessed Coinbase user data by bribing and convincing Coinbase support employees to share that data, but this was entirely preventable, according to numerous experts that spoke to CoinDesk.
“A failsafe system would make stealing data technically impossible, but Coinbase clearly didn’t prioritize these measures, leaving the door wide open,” Andy Zhou, co-founder of blockchain security firm BlockSec told CoinDesk.
Allowing these criminals to access personal data, whether through a hack or, in this case, social engineering, is a major blight on an exchange that facilitates billions of dollars worth of volume every day. The breach created a myriad of issues, including user privacy and trust. How could Coinbase, a publicly traded company, allow attackers to steal personal information and money through the front door? And could it have been prevented?
Hackett Communications CEO Heather Dale hailed Coinbase’s response as a “masterclass in communication,” but Coinbase’s method of tackling the issues was simple: throw as much money at it as possible.
The exchange offered a $20 million bug bounty for anyone who reported information that would lead to an arrest or prosecution. It also committed to voluntarily reimbursing impacted users with between $180 million to $400 million.
What happened?
Before analyzing the fallout of the breach, it’s important to understand how exactly the breach occurred at a publicly traded company that spends millions of dollars per month on security infrastructure.
In February, on-chain sleuth ZachXBT reported a rise in thefts involving Coinbase users. He said that it was “a result of aggressive risk models and Coinbase’s failure to stop its users losing $300 [million] per year to social engineering scams.”
The fear of cybercriminals stealing hundreds of millions of dollars became a reality last week when Coinbase published a blog post revealing that account balances, government ID images, phone numbers, addresses and masked bank account details were stolen.
Unlike other hacks and breaches, which involve attackers exploiting a faulty back-end, these attackers went in through the front door—communicating directly with Coinbase employees and buying access to the information via rogue insiders. Coinbase claimed that it fired all responsible employees on the spot, although it did not reveal the method it used to find those responsible in the blog post.
The issue, however, is not confined to crypto. In 2022, digital bank Revolut confirmed that 50,000 sets of customer data were stolen, while one year later, trading platform Robinhood had up to 5 million email addresses leaked. The latter was fined $45 million by the SEC following the breach after it emerged that a portion of customers had their accounts wiped by attackers.
The BBC reported in October that one particular Revolut user lost £165,000 ($220,0000) following a data breach and that the neobank’s fraud detection system prevented £475 million in fraudulent transactions in 2023.
Coinbase competitors Binance and Kraken said they managed to fend off similar social engineering attacks in recent weeks.
Coinbase CEO Brian Armstrong also posted a video on X last week, stating that he received a “ransom note” for $20 million in bitcoin in exchange for these attackers not releasing some information they claimed to have obtained on Coinbase customers.
ZachXBT added on Thursday that the attackers began obfuscating the stolen funds by swapping BTC for ETH on Thorchain, a venue often used by the infamous North Korean hackers Lazarus Group.
‘Major wake-up call’
Andy Zhou, co-founder of blockchain security firm BlockSec, told CoinDesk that Coinbase should have conducted “stricter background checks on employees handling sensitive data ” and set up “alarms for weird activity” like someone suddenly downloading thousands of customer profiles.
Zhou added that Coinbase should have implemented several technical solutions. These include strict role-based access, meaning employees only see necessary data, or privacy tools that allow work without exposing raw details (for example, blurring ID photos).
Nick Tausek, lead security automation architect at Swimlane, told CoinDesk that the breach should be a “major wake-up call” for robust insider threat detection.
“As outsourcing scales and operations stretch across time zones, insider threat detection and access governance cannot be afterthoughts. A single insider with the right access, or in this case, the wrong incentives, can punch a hole in even the most fortified security posture. Because, as this breach shows, it only takes 1% of customers breached to make 100% of the headlines.”
However, not everyone is piling onto Coinbase.
Michal Pospieszalk, CEO of MatterFi, said that it “isn’t a Coinbase problem, it’s a systemic vulnerability that’s plagued crypto since day one.”
He argued that the nature of sending crypto without an intermediary means that all platforms are one misstep away from disaster.
Hackers need to engineer a situation that can trick users into sending their funds in an irreversible transaction. In Coinbase’s case, attackers gained access to personally identifiable information from a rogue employee.
The root issue, according to Pospieszalsk, is the problem of users not knowing whether they are sending funds to the right recipient, adding that crypto runs on a “trust me, bro” model of identity verification and that is not sustainable.
What happens next?
Coinbase said it would voluntarily reimburse customers who lost funds during the breach and would continue to work with law enforcement to capture those responsible. But for users, it’s a darker road.
The exchange said in a regulatory filing on Wednesday that the breach impacted 69,461 customers. The filing also noted that the breach occurred in December 2024 and was not discovered by Coinbase until May 15.
These details are out on the internet now, and may even be for sale on the dark web and in shady Telegram groups. After the Ledger breach, customer details were published on Raidforums, a nefarious data-sharing platform, which led to a rise in phishing attempts.
Unfortunately, Coinbase can’t do anything to prevent the sharing of this leaked information, leaving the affected users to attempt to put in as many safeguards as possible. These include changing wallets, changing deposit addresses on exchanges and even changing home addresses to avoid the risk of real-world robberies. Users whose social security numbers were leaked should also lock their credit to prevent identity theft.
It may be cumbersome, but as seen earlier this year during the attempted kidnapping of Ledger co-founder David Balland (and several other individuals over the past few weeks), criminals will not stop until they extract the maximum amount of funds, even if it means inflicting brutal acts of violence.
This also raises a potential legal question: If a Coinbase customer were to be robbed or assaulted due to the data breach, would Coinbase be liable? Ledger failed to escape a proposed class action lawsuit earlier this year, with plaintiffs alleging that Ledger violated its privacy policy and should have had measures in place to prevent the breach.
Crypto researcher Molly White also pointed out that Coinbase changed its user agreement in April, adding two clauses limiting class action lawsuits and requiring lawsuits to be filed in New York, with changes being applied on May 15, the same day the breach was announced.
Coinbase responded to CoinDesk about White’s claims, stating that the exchange had “notified customers well in advance” of the user agreement change and that it had a class action waiver in place for “years.”
Coinbase did not, however, comment on questions related to whether the breach was preventable or how it will safeguard customers who could be at risk of real-world robberies in the future.
Read more: Market Reaction to Coinbase Hack ‘Overblown,’ Say Analysts as SEC Probe Sinks Stock