Hackers had near-constant access to some of Coinbase Global Inc.’s most valuable customer data since January, according to a person familiar with the incident who asked not to be named discussing company matters.
The largest US crypto exchange disclosed earlier on Thursday that hackers bribed customer representatives to steal the data and then demanded a $20 million ransom to delete it. Coinbase began noticing unusual activity from some of these representatives in January, the company confirmed in an interview with Bloomberg News.
The hackers bribed customer service representatives to get access to names, dates of birth, addresses, nationalities, government-issued ID numbers, some banking details and details about when customer’s accounts were created and their balance, the person familiar with the situation said. This information could be used to attempt to impersonate Coinbase and convince customers to let the hackers into their account. It could also be used to impersonate the victims with other service providers to attempt to convince them to let hackers into other financial accounts they might own.
The threat actors had bribed enough customer service representatives to achieve effectively on-demand access to Coinbase customer information in the past five months, the person said. In an interview with Bloomberg News, Chief Security Officer Philip Martin disputed the near constant access assertion, saying Coinbase pulled the agents’ access as soon as it was discovered they were improperly sharing information. Therefore the hackers “did not have persistent access over the course of the entire period,” he said.
“What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing and bribing them in order to obtain customer data,” Martin said.
Coinbase detected the agents and quarantined them and fired them, as soon as the company noticed the activity.
“So there were a number of specific bribery incidents that this attack, that this threat actor is claiming credit for throughout the course of that time, but they did not have persistent access over the course of the entire period,” he said.
The hackers had access to this data as recently as Wednesday, the person familiar with the incident said. Martin said “we have no reason to believe that is true at all” but could not “prove a negative.”
Bloomberg News is aware of one notable, high net worth individual’s data being accessed, whom Bloomberg is not disclosing for privacy reasons.
David Jeong, a crypto founder in New York, said he received a text from unidentified number on April 3, in which he was asked to verify the login for his personal account. He then received another text from a different number on May 4. Jeong said he hasn’t used Coinbase OTP for two years.
Coinbase said in the filing that it received an anonymous email from the hackers making their ransom demand on May 11. It added that in the months leading up to that email it had detected instances of customer support agents outside of the US collecting data from internal Coinbase systems. Those employees and contractors have been fired, Coinbase said. Coinbase estimated the incident could cost the firm up to $400 million to remedy.
Last weekend, some premium customers received emails suggesting that their information had been accessed. A Coinbase spokeswoman declined to state when they began alerting customers that their data had been accessed but said they sent “communications to those customers warning about the risks of scams and social engineering.”
“At Coinbase, we actively monitor our systems to ensure customer information is only accessed when necessary and in accordance with our strict security standards. We wanted to let you know that we detected activity suggesting that information related to your account may have been accessed in a way that did not align with our internal policies,” the company said in a customer email reviewed by Bloomberg. “The information did not involve your password, seed phrase, or any other information that would have allowed someone to directly access your account or your funds.”
In the email, Coinbase recommended that customers ensure they’re “regularly monitoring your account, using a strong and unique password.”
Less than 1% of the exchange’s monthly transacting users were affected, Coinbase said Thursday. In addition to ramping up security controls for those affected, Coinbase said it would reimburse in full anyone who lost money. Instead of paying the ransom, the exchange is offering a $20 million bounty to anyone with information leading to the attackers’ arrest and conviction.
Hacks have long plagued the crypto industry, thanks to its heavy reliance on user anonymity and complex digital software. Around $2.2 billion was lost to such incidents in 2024, according to researcher Chainalysis. Operating under the threat of attack has been particularly painful for crypto exchanges, which are often major targets and face high ongoing costs to maintain tight security.
“Unfortunately as our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks and harnessing new AI tools and techniques to bypass fraud prevention measures,” said Nick Jones, founder and CEO at crypto technology platform Zumo. “This is understandably a huge blow for a company that has had a pivotal few weeks.”
The incident comes as Coinbase is set to join the S&P 500 index next week. Inclusion in the benchmark is becoming more important for companies in a world increasingly dominated by passive investment funds, wrapping Coinbase’s stock into numerous trackers following the index. Coinbase shares slipped 7% to $244.89 as of 3:03 p.m. in New York.
Coinbase’s hackers deployed what’s called a social engineering attack — where criminals use people to gain unauthorized access to data, rather than exploiting flaws in computer code. This type of threat has become increasingly popular in crypto, resulting in recent major incidents like the $1.5 billion hack of crypto exchange Bybit in February.
Meanwhile, the New York Times reported that the Securities and Exchange Commission has been investigating whether Coinbase misstated its user numbers in past disclosures as part of an inquiry that began during the Biden administration.
“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Paul Grewal, Coinbase’s chief legal officer, said in a statement. “While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”
Photo: Photographer: Tiffany Hagler-Geard/Bloomberg
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
‘Don’t Get in My Way,’ the New Acting Head of FEMA Warns Staff 
Ice Cream Sandwich Maker Blames Agent for Lack of Recall Insurance After $4.5M Loss 
Space War: Marsh Sues Willis Over Aviation Insurance Hires Soliciting Clients 
2024 P/C Insurance Combined Ratio Best in More Than a Decade 
