Compiled by: Felix, PANews
On May 15, two pieces of negative news about Coinbase caused its stock price to suffer a 'Waterloo.'
One report revealed that Coinbase disclosed a cyber attack involving the theft of internal data and customer information, with potential financial impacts ranging from $180 million to $400 million.
Additionally, sources indicate that the U.S. SEC is still investigating whether Coinbase misrepresented user data prior to its 2021 IPO.
Under the influence of the two pieces of negative news, Coinbase's stock price dropped 7.2% during the day.
Customer service leaked user data and demanded a ransom of $20 million.
Coinbase reported that cybercriminals bribed and recruited a group of malicious overseas customer service personnel who abused their access to the customer support system, stealing data from less than 1% of monthly trading users (about 80,000 to 100,000). Although no funds, passwords, or private keys were stolen, and Coinbase Prime accounts were 'unaffected,' the attackers used this data to launch targeted social engineering scams against customers.
In response to the attack method, some cryptocurrency experts commented that this type of targeted social engineering attack (utilizing overseas customer support teams) is not uncommon in the crypto industry. The information of active users in crypto exchanges is far more valuable than one might think. The average customer acquisition cost for top exchanges is $5-50 per effective user, while for small to medium exchanges, it ranges from $50-300.
After initiating a social engineering scam, Coinbase attackers sent a ransom letter demanding Coinbase pay $20 million worth of Bitcoin, threatening to release stolen customer data if Coinbase did not comply.
The report stated that the attackers obtained:
Name, address, phone number, and email
Masked social security numbers (only the last four digits)
Masked bank account numbers and some bank account identifiers
Images of government ID documents (such as driver's licenses, passports)
Account data (balance snapshots and transaction history)
Limited company data (including documents, training materials, and communications information for customer service personnel)
However, data such as login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, and access to any hot or cold wallets of Coinbase or its customers 'were not compromised.'
Multiple measures to respond to the attack, refusing to pay the ransom and issuing a bounty.
Following the incident, Coinbase implemented a series of response measures.
First, closely cooperating with law enforcement agencies. The internal personnel who leaked data were fired on the spot and handed over to U.S. and international law enforcement agencies, with Coinbase stating it would pursue criminal charges.
Next, tracking the stolen funds. Coinbase collaborated with industry partners to tag the attackers' addresses so that authorities could track and recover the assets. They also promised to compensate customers who were tricked into remitting funds to attackers due to social engineering attacks. To further ensure the safety of support operations, Coinbase will open a new support center in the United States and enhance security controls and monitoring at all locations.
In response to the $20 million ransom demanded by the attackers, Coinbase stated that it would not pay. Meanwhile, Coinbase will establish a $20 million reward fund to incentivize those who provide information that helps apprehend and convict the perpetrators of this attack.
Coinbase users suffering social engineering attacks may have become 'the norm'
Although a series of response measures seem proactive, security incidents concerning Coinbase appear to happen frequently, and the amounts stolen are quite significant, especially regarding social engineering scams that users encounter.
In February of this year, on-chain detective ZachXBT disclosed on X platform that during the period from December 2024 to January 2025, Coinbase users lost over $65 million due to social engineering scams. He indicated that the estimated $65 million could be 'far lower' than the actual amount, as it does not account for cases reported to Coinbase's support department and the police.
ZachXBT listed multiple security incidents and condemned Coinbase for failing to properly handle such scams. 'Coinbase needs to make urgent changes as more and more users are being scammed out of tens of millions of dollars each month. Other major exchanges have not experienced similar situations.'
ZachXBT also urged Coinbase's leadership to consider strengthening measures against social engineering attacks, including allowing KYC-verified users to optionally enter their phone numbers on the platform, adding restrictions on withdrawals for new user accounts, and enhancing community outreach.
These proposals may not have been adopted by Coinbase, but this extortion incident might serve as a wake-up call for Coinbase.
