Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom
276 comments
·May 15, 2025modeless
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
panarky
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
suzzer99
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
kmfrk
Seems to be a whole thing in France too: https://www.theguardian.com/world/2025/may/04/french-police-....
ClumsyPilot
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
krunck
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
johnisgood
I know, it is so effective! Must have more KYC! /s
cyanydeez
"decentralized currency"
modeless
Bitcoin is plenty decentralized. Coinbase deals with dollars, that's the non-decentralized part.
zamadatix
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Balgair
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.
Crypto? It's wild, and people think it's wild.
suzzer99
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
VectorLock
I just switched to iPhone from a pixel device and I’m shook by all the spam calls. How do iPhone users deal with this?
conductr
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
bflesch
iphone has been enshittified for several years now, it seems apple engineers are not using their own phones any more. I can understand it - when you're a millionaire just from your corporate job you won't be a stressed power user of your own iphones.
taude
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
ge96
I never answer my phone, also turned off sound except alarms a couple years ago
HWR_14
You turn off the notifications from unknown callers? How does Android handle it?
modeless
Sometimes you need to answer calls from unknown numbers.
Google's call screening feature picks up the phone before it rings and asks the caller why they're calling. If they actually give a good reason, then it shows you the reason as text and you can decide whether to hang up on them or answer. https://support.google.com/phoneapp/answer/9118387
dx4100
Also, on TMobile if you dial #662#, it'll block the Scam Likely calls at the carrier.
deepfriedbits
I had no idea. Thank you!
scarface_74
Settings -> Phone -> Silence Unknown callers
patatino
I don’t get any calls, seems to be an US problem?
lxgr
Unfortunately, the US phone network is indeed completely unusable without a good spam call filter.
dx4100
I have my phone set to silence Unknown callers. What did you have setup on the Pixel before to block them?
conductr
That’s too heavy handed for me. I get valid calls that I need to answer that aren’t in my contacts.
The calls they flag as potential spam and telemarketers has been 100% accurate in my experience so i wish I could just silence those
hooverd
I wonder if some of that perfect accent might be ML.
conductr
I started getting regular Coinbase login confirmation codes text messages with no attempts on my end
Same with my Microsoft account actually
I usually just ignore it but I assume someone is testing if my email can be used to login.
modeless
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
dx4100
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
genghisjahn
The common spelling mistakes are there for a reason most of the time.
taude
I got probably three or four in the past week.
cyanydeez
its a shame it'll never stop, and the criminal element is now a legal capitalism
mistrial9
> They speak perfect English, sound very friendly, and have knowledge of your account balance.
.. and are former employees of Coinbase .. oh! just imagining!!
sgarman
I tried to reach out to coinbase customer support to see if I was impacted. Once I wasted my time with the AI bot and got a human they were unaware of the breach. I was the first person to inform them about it.
modeless
They emailed impacted accounts. Source: I was impacted
w-ll
Was this the general "Important Notice" email that went out this morning, or something more specific.
modeless
The "Important Notice" I got says "This included information related to your account". Also I got an email earlier on April 1 about a breach that sounds very similar if it's not the same one.
ycombinatrix
Maybe the actual first person got unlucky with a lazy customer support agent.
thepasswordis
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
singleshot_
Coin base actually has the opposite of a physical place where people trying to steal money can be caught. They have a virtual place where people trying to steal money can get away with it. If you want the feature you described, you might want to try a “bank.”
SimianSci
The Crypto industry continues their speedrun of rediscovering all of the reasons for why the global financial system exists.
What you've described is the same thing that many Crypto enthusiasts call a "Bank"
lxgr
Many banks don't have physical branches.
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
woah
Coinbase is identical to a bank because it holds customer funds. Your comment isn't quite the dunk you think it is. Blockchains allow money to be held anonymously without any banks involved. Centralized exchanges are just profiting on speculation and probably should be banned.
scarface_74
My money in the bank in case of fraud is protected unless I voluntarily gave the fraudster my money. If a bank goes bankrupt, my money is protected by the government
knowitnone
except banks staff can easily be bribed too. There is plenty of bank fraud happening.
suzzer99
If my bank money gets stolen from me via fraud (unless I literally just Zelle the scammer), I get it back. That's the big difference.
nipponese
I can walk into a bank branch and show documents.
I guess I can walk downtown to CB HQ, but something tells me I won't get past the front desk.
lxgr
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
ClumsyPilot
> The only solution here is: hardware 2 factor like yubikeys.
And when that’s lost, what do you do? Aren’t you back to account recovery step?
josu
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
Is this satire?
piva00
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
That's just a bank.
dowager_dan99
Beyond the regulatory-dodge and crypto marketing explain to me how Coinbase is NOT a bank
Analemma_
Cryptocurrency firms exist in a quantum superposition of bank and not-a-bank until you interact with them, at which point they collapse into whichever state costs them less money.
chaosbolt
lol they even do fractional reserve things like banks, except they're more shady and don't acknowledge it, now I'm either connecting dots that shouldn't be connected or some withdrawal locks that happened through some big arbitrage opportunities were very suspicious.
thepasswordis
Correct. Coinbase is a bank that holds cryptocurrency.
DonHopkins
And OpenSea is a zoo that holds apes.
lovich
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
voidspark
This is an exchange problem, not a crypto problem. You don’t need an exchange to hold crypto.
johnisgood
As others have said, it has nothing to do with crypto, it is an exchange problem, and a government intervention problem.
codedokode
As I understand, the root of the problem is that Coinbase kept lot of sensitive information, including photos of IDs. If Coinbase was fully anonymous, and didn't require any KYC, the impact of the leak would be insignificant because it would be difficult to link user number 12345 with some real-world person.
So if we want to constrain impact of such attacks, we must make companies keep less data and delete them faster. For example, instead of storing a photo of ID, store just a checkbox that the person showed their ID and it was valid.
This applies not only to cryptocurrency, but to any company like Google, Uber, Amazon etc - if they didn't keep extra data, there would be little value in the leaks.
So the blame is not at cryptocurrency, but on companies not wishing to delete the data and governments demanding them to collect the data not necessary for operation. It's the government and capitalists who create problems out of nowhere.
thepasswordis
Is there anything crypto does that paper currency doesn’t?
J0nL
I'm having de ja vu here. If they only found out when they attempted to extort them does it mean they don't even bother to log employee access? Is there any means for accountability at all internally?
It would be so simple to have access tracking and flag or lock out rogue employees... I look forward to seeing what the golden parachutes look like.
fckgw
Looking at their blog post, it seems like they paid customer support agents to hand over sensitive data. The attackers did not have access to any agent accounts themselves, and the customer service agents were accessing data they were already privileged to anyways.
https://www.coinbase.com/blog/protecting-our-customers-stand...
lxgr
Logging and retroactive auditing seems like the very least they should do. Even asking the customer service agent to first provide identifying details of the customer they can't easily know or guess by themselves doesn't seem excessive, given the sensitivity of the information.
It won't work for 100% of all calls (what if the customer is locked out themselves etc.), but those calls can then be handled by even more closely monitored agents.
"Less than 1% of monthly transacting customers" means up to 1% were accessed – that seems very high, i.e. much higher than the number of customer service contacts I'd expect.
skybrian
Blog post is here:
https://www.coinbase.com/blog/protecting-our-customers-stand...
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
gkoberger
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
sh34r
Their "customer support" includes not expecting users to set up PGP to communicate with them. Email is not a secure method of communication by default.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
gkoberger
Yeah, I totally understand it!
scotty79
no-reply is a good practice. No business should ever encourage their customers to reply to the emails they are sending out. That's what scammers do.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
ClumsyPilot
> No business should ever encourage their customers to reply to the emails they are sending out.
It’s fascinating that we keep creating new technology and then find out that in practice most of it cannot be trusted. Which means it cannot be used for anything serious.
IT revolution is a bit of a failure
PeeMcGee
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
czk
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.
rdtsc
> recruited a group of rogue overseas support agents
Why not just say what country the are from and how they hired them to start with. It's presented as those sneaky "overseas" people that somehow got access to our systems. This company makes what, a few billions in revenue but they couldn't vet and hire the right people?
molticrystal
And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws, so you can thank your government that pictures of your passport got stolen and for whatever criminals and rogue Coinbase employees do with that info.
ryuhhnn
There are very good reasons for KYC, the problem here is not the government regulation, it's once again private companies being sloppy with their customer's data because sloppy is cheap and it's not their info on the line, it's yours, so there's little motivation for them to safeguard it _unless_ they're compelled to do it by law.
goobie
The people who designed a government regulation to deputize private companies couldn't possibly have known how sloppy private companies are with other people's data?
They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.
J0nL
They're not just another free-to-use site where you're the product. Their reputation and viability are on the line.
For a site such as this the odds aren't in their favor anymore.
justapassenger
[dead]
ChrisMarshallNY
> Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.
I’m not usually a huge fan of crypto folks, but I applaud this.
I hope they are serious about paying the reward, and aren’t planning to rug-pull it.
reaperducer
I hope they are serious about paying the reward, and aren’t planning to rug-pull it.
They could always pay it in crypto.
ChrisMarshallNY
It might not be a bad idea for the various crypto exchanges to pool their resources into a non-denominational security organization. It could offer hardening services, and some kind of accreditation.
It would also make many Ponzi schemes easier to spot, as they wouldn’t want to contribute.
davidcbc
They make money selling the ponzi schemes, they don't want to make them easier to spot
hypeatei
Whatever you think of Coinbase, this is a pretty good response IMO:
> and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible
ajma
That's the same move from the Ransom movie from 1996 https://youtu.be/haThIxPnYro?si=Jxu0elA-ylB5Z15q
twodave
I love it. This also would have been a great opportunity to break out of corporate speak for a moment for a good “Up yours hacker assholes!” Even us folks in the Bible Belt appreciate a well timed swear word here and there.
pcl
I’d say the better thing for customers would be to pay the ransom demand and get the PII back. If they want to fund a reward scheme too, well great, but if it were my data, I’d care more about Coinbase limiting the breach of the data, not playing around with retaliatory rewards.
hypeatei
There is no guarantee that an anonymous criminal is going to hold up their end of the agreement. Coinbase has no idea who they're negotiating with or where that data has been shared.
That, and they're reimbursing customers who were tricked.
int_19h
In addition, paying the ransom would be an open invitation for everybody else to try the same attack, with the net result that all customers are less secure in the long run.
deburo
Limiting? The damage is already done.
blindriver
There should be an ISO standard with respect to how much power and information that front line customer support agents have. The more information you need, like changing passwords or accessing personal information, should get forwarded to higher level customer support agents with better training and more monitoring. This way you can design customer support experience with as little exposure to security issues as possible.
wepple
> better training and more monitoring.
That’s very load-bearing. It won’t help.
The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.
What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.
whyever
They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf
xyst
Compartmentalization is a very expensive customer support model.
caseyohara
So are $20M ransoms and the reputational damage from data breaches.
pentagrama
Maybe it’s a naive question, but in many breach reports I see things like 'No passwords, private keys, or funds were exposed.' How come companies can usually protect that kind of data, but not emails, names, and other personal info?
selectout
Companies want the ability to use things like emails, names, and other data for user experiences (go to settings, see name and change it), advertising (target this address book for X ad), etc. So these are typically plaintext (oversimplified) and accessible by different systems while passwords or private keys have one use case only and can have a higher bar of protection.
LorenPechtel
Such data is typically encrypted and purely write-only, only read by the system itself. Thus it is only exposed if the database itself is exposed. If the leak was compromise of the systems that access the data (which appears to be the case here--insiders copied data they could access) the write-only info is not exposed.
wat10000
A properly implemented login system will never store a password in the first place. Properly hashed passwords can still be cracked in some cases, but if your password is strong and the hash is good, it’s safe.
dboreham
It was some BI/analyst database that leaked?
Coinbase seems to be going to great lengths to try and distance themselves from the so-called "rogue overseas support agents".
If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.
I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.