America's largest cryptocurrency exchange Coinbase faces a data breach crisis, with losses potentially reaching $400 million; how to ensure cryptocurrency security?

On May 15 (Thursday) Eastern Time, Coinbase, the largest cryptocurrency exchange in the U.S., disclosed that cybercriminals bribed its overseas customer service personnel to steal customer data in order to carry out social engineering attacks.

According to Coinbase's preliminary estimates, the total costs and customer compensation resulting from this incident could range from $180 million to $400 million. Coinbase stated in the filing, 'As the company is still conducting an investigation, the full impact of the incident has yet to be determined.' Additionally, law enforcement has intervened in the investigation.

This is the second major security breach at a well-known cryptocurrency exchange globally since Bybit experienced the largest hacking attack in history last February. As a result, Coinbase's shares plummeted 7.2% on Thursday, with a market value evaporating by $4.8 billion in a single trading day.

Moreover, this data breach incident occurred as Coinbase is about to be included in the S&P 500 index, which will take effect before the trading begins on May 19.

Ding Zhaofei, chief analyst at Asian digital asset financial services group Hashkey Group, pointed out to the reporter from (Daily Economic News) that this incident exposed the multiple security challenges faced by cryptocurrency exchanges, especially in building internal trust systems and applying new technologies.

He pointed out that in terms of internal trust systems, the principle of least privilege must be implemented, and highly sensitive data must be stored independently and authorized multiple times. Additionally, exchanges need to explore more advanced privacy protection technologies, 'for example, analyzing employee and user behavior patterns through AI.'

In a filing with the U.S. Securities and Exchange Commission (SEC), the company stated that it received an email on May 11 from a sender who claimed to have obtained part of Coinbase's customer account information and other internal documents. The leaked data includes names and contact information, some social security numbers and bank account identification information, government ID photos, and certain company and account data.

Coinbase did not disclose how many customer information was accessed, only stating that the number of affected users is less than 1% of the total users. The company expects this incident to result in losses of $180 million to $400 million, mainly for customer compensation, system repairs, and security enhancements. Coinbase has promised to fully compensate affected users' losses and has begun cooperating with law enforcement to track down the identity of the attackers.

Shockingly, Coinbase stated that cybercriminals also bribed its overseas customer service personnel to steal customer data to carry out social engineering attacks. Their goal was to collect a list of contactable customers while pretending to be Coinbase, deceiving customers into handing over their cryptocurrencies.

The company stated in a blog post, 'Cybercriminals bribed and recruited a group of overseas customer service personnel to steal Coinbase customer data to assist in social engineering attacks. These insiders abused their access to the customer support system to steal a small portion of customer account data. There was no leakage of passwords, private keys, or funds, and Coinbase Prime accounts were unaffected. We will compensate customers who were tricked into transferring funds to attackers.'

Subsequently, cybercriminals demanded Coinbase pay a ransom of $20 million in Bitcoin, or they would publicly disclose this data. In response, Coinbase rejected the demand while offering a $20 million reward for information about the criminals.

As a result, Coinbase's shares plummeted 7.2% on Thursday, with a market value evaporating by $4.8 billion in a single trading day. As of the time of publication, Coinbase's stock price rose 1.48% in pre-market trading.

This data breach incident occurred as Coinbase was about to achieve a milestone.

On May 13, according to a press release from S&P Dow Jones Indices, Coinbase will be included in the S&P 500 index, effective before trading begins on May 19. Prior to this announcement, Coinbase had announced plans to acquire Deribit, the world's largest Bitcoin and Ethereum options exchange, for $2.9 billion, marking one of the most significant acquisitions in cryptocurrency history.

In last week's earnings call, Coinbase CEO Brian Armstrong stated that he hopes to make Coinbase 'the world's number one financial services application' in the next 5 to 10 years. Oppenheimer analysts subsequently raised their target price forecast for Coinbase from $269 to $293.

However, this attack exposed Coinbase's vulnerabilities in internal security management. In addition, Coinbase is also facing an investigation by the U.S. Securities and Exchange Commission (SEC) regarding the accuracy of its disclosed user growth metrics for 'verified users' prior to its 2021 IPO.

How to ensure cryptocurrency security?

Over the past few years, the cryptocurrency ecosystem has suffered countless hacking attacks, often resulting in devastating losses. Early exchanges were particularly vulnerable due to relatively weak security measures and inadequate infrastructure. As the industry matured, hackers adjusted their strategies, targeting weaknesses in smart contracts, wallets, and decentralized finance (DeFi) platforms. This evolution of tactics highlights the ongoing arms race between cybercriminals and security professionals.

For example, during the Mt. Gox exchange collapse in 2014, hackers exploited system vulnerabilities to carry out a 'double spend attack,' stealing $473 million worth of Bitcoin stored by the exchange, exposing the storage and management defects of centralized exchanges; in early 2018, Coincheck, one of Japan's largest digital currency trading institutions, suffered a hacking attack that resulted in a loss of $534 million in virtual assets.

A report by research firm Chainanalysis shows that the total amount of cryptocurrency funds stolen worldwide reached $2.2 billion throughout 2024.

In late February, the globally renowned cryptocurrency exchange Bybit suffered the largest hacking attack in history, with analysts estimating losses close to $1.5 billion, surpassing the $611 million theft experienced by Poly Network in 2021, making it the largest theft incident in cryptocurrency history.

Yu Wenxiu, an international economics master's student at Peking University's Law School, pointed out that for virtual currency issuers, the security risks of providing trading and service platforms mainly stem from three aspects: external hacker attacks, internal personnel or collusion between insiders and outsiders, and failures of the computer systems themselves. This vulnerability in Coinbase is a typical case of insider and outsider collusion.

Ding Zhaofei, chief analyst at Hashkey Group, noted that from the perspective of internal trust systems, the Coinbase incident highlights the risks of data breaches due to internal personnel bribery: 'All levels of employees, whether in technical or non-technical positions, must strictly adhere to the principle of least privilege. Especially for highly sensitive data, such as customer ID photos, social security numbers, etc., they must be strictly isolated from account operation data, and access must go through multiple authorization processes. In addition, exchanges need to establish real-time behavior monitoring mechanisms to automatically identify abnormal access behaviors and regularly audit permission usage to ensure they are not abused or expanded.'

From a technical perspective, Ding Zhaofei believes that this leak involves highly sensitive information such as customer ID photos and social security numbers, and traditional security measures such as cold and hot wallet separation and multi-signature become inadequate in addressing new social engineering attacks. Therefore, exchanges need to explore more advanced privacy protection technologies.

'Traditional security measures remain fundamental, but they need to be combined with more dynamic and intelligent security strategies. For example, analyzing employee and user behavior patterns through AI can identify potential signs of social engineering attacks, especially in interactions between customer service and users, allowing for early detection and prevention of possible phishing activities. At the same time, dynamic authentication mechanisms combined with user behavior, biometrics, and other multi-factor verification methods can effectively enhance the security of authentication,' Ding Zhaofei added to the reporter.