Original title: (Coinbase user data stolen and extorted for $20 million, social engineering attacks have become the norm)
Original author: Felix, PANews
On May 15, the emergence of two negative news items regarding Coinbase led to a " Waterloo" for Coinbase's stock price. One was Coinbase disclosing a cyber attack incident involving the theft of internal data and customer information, with potential financial impact estimated between $180 million and $400 million. Additionally, sources indicated that the U.S. SEC is still investigating whether Coinbase misreported user data prior to its IPO in 2021. Under the influence of these two negative news items, Coinbase's stock price dropped 7.2% in a single day.
Customer service leaked user data and extorted $20 million
Coinbase reported that cybercriminals bribed and recruited a group of malicious overseas customer service personnel who abused their access to the customer support system, stealing data from less than 1% of monthly trading users (approximately 80,000 to 100,000). Although no funds, passwords, or private keys were stolen, and Coinbase Prime accounts were "not affected," the attackers utilized this data to launch targeted social engineering scams against customers.
In response to the method of this attack, some crypto enthusiasts commented that this targeted social engineering attack (utilizing overseas customer support teams) is not uncommon in the crypto industry. The information of active users on crypto trading platforms is worth far more than one might imagine. The average cost of acquiring a new user for top trading platforms is $5-50 per effective user, while the average cost for small to medium trading platforms ranges from $50-300. After launching the social engineering scam, the Coinbase attackers sent a ransom note demanding $20 million worth of Bitcoin, threatening to publish the stolen customer data if Coinbase did not pay.
The report stated that the attackers obtained:
· Name, address, phone number, and email
· Masked social security numbers (only the last 4 digits)
· Masked bank account numbers and some bank account identifiers
· Government-issued ID images (such as driver's licenses, passports)
· Account data (balance snapshots and transaction history)
· Limited company data (including documents, training materials, and communication information available to customer service personnel)
However, data such as login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, and access to any Coinbase or Coinbase customer hot or cold wallets were "not stolen."
Multiple measures to combat attacks, refuse to pay ransom, and issue a bounty
After the incident, Coinbase took a series of response measures. They first collaborated closely with law enforcement. The internal personnel responsible for the data leak were fired on the spot and handed over to U.S. and international law enforcement, and Coinbase stated that criminal charges would be filed.
Secondly, they tracked the stolen funds. Coinbase worked with industry partners to tag the attackers' addresses so that authorities could track and recover assets. They also promised to compensate customers who were tricked into sending funds to the attackers due to social engineering attacks. To further ensure operational safety, Coinbase will establish a new support center in the U.S. and strengthen security controls and monitoring at all locations. In response to the $20 million ransom demanded by the attackers, Coinbase stated that they would not pay. Meanwhile, Coinbase will set up a $20 million reward fund for information that helps apprehend and convict the perpetrators of this attack.
Coinbase users falling victim to social engineering attacks may have become "the norm"
Although the series of response measures seem positive, security incidents involving Coinbase appear to be frequent, and the amounts stolen are quite significant, especially regarding the social engineering scams users have faced. In February of this year, on-chain detective ZachXBT disclosed on platform X that between December 2024 and January 2025, Coinbase users lost over $65 million due to social engineering scams. He noted that the estimated $65 million could be "far below" the actual amount, as it does not account for cases submitted to Coinbase support and the police.
ZachXBT listed multiple security incidents and "condemned" Coinbase for failing to properly handle such scams. "Coinbase needs to make urgent changes as more and more users are being scammed out of tens of millions of dollars each month. Other major trading platforms are not experiencing similar situations."
ZachXBT also urged Coinbase's leadership to consider strengthening measures against social engineering attacks, including allowing KYC-verified users to optionally input phone numbers on the platform, adding restrictions for new user accounts regarding withdrawals, and enhancing community outreach. These proposals may not have been adopted by Coinbase, but this extortion incident may serve as a wake-up call for Coinbase.
Original link
