Last week’s highly organized cryptocurrency exchange Coinbase (coin) violation left more questions than answers.
While some have been hailed as a “really great example” in dealing with the Coinbase crisis, the violation has caused potentially significant privacy issues, reflecting the 2021 ledger data breach. Coinbase has already admitted that customers may have lost nearly US$500 million as a result of the breach.
According to numerous experts who spoke to Coindesk, Cybercriminals accessed Coinbase user data by helping employees share that data by bribing and persuading them.
“The FailSafe system will make data technically impossible, but Coinbase clearly didn’t prioritize these measures, leaving the doors wide open,” Andy Zhou, co-founder of Blockchain security company BlockSec, told Coindesk.
These offenders will have access to their personal data, whether through hacks or in this case, through social engineering, or in this case, a major devastation of exchanges that facilitate volumes worth billions of dollars each day. Violations created countless issues that include user privacy and trust. How can Coinbase, a publicly available company, allow attackers to steal personal information and money from their doorsteps? And was that prevented?
Hackett Communications CEO Heather Dale praised Coinbase’s response as a “master class of communication,” but the way to tackle Coinbase’s issues was easy. I threw as much money as possible.
The exchange provided a $20 million bug prize to anyone who reported information leading to an arrest or prosecution. We also pledged to voluntarily refund affected users.
what happened?
Before analyzing the fallout of a violation, it is important to understand how the violation occurred in public companies spending millions of dollars per month on security infrastructure.
In February, Chain reported an increase in theft involving Coinbase users. He said, “it’s the result of an aggressive risk model and that Coinbase hasn’t lost $300 (million) a year to social engineering scams.”
The horrors of hundreds of millions of dollars stolen cybercriminals have come to life when Coinbase published a blog post revealing that their account balances, government ID images, phone numbers, addresses and masked bank account details have been stolen.
Unlike other hacks and violations that involve attackers taking advantage of the wrong backend, these attackers went through the front door. Communicate directly with Coinbase employees and purchase access to information via fraudulent insiders. Coinbase has not disclosed the method it used to find the person in its blog post, but claimed it fired all responsible employees on the spot.
However, this issue is not limited to cryptography. In 2022, Digital Bank Revolut confirmed that 50,000 sets of customer data had been stolen, but a year later, trading platform Robinhood leaked up to 5 million email addresses. The latter was fined $45 million by the SEC following the violation after it was revealed that some of its customers had wiped out their accounts by the attacker.
In October, the BBC reported that one particular Revolut user lost £165,000 ($220,000) after a data breach, and that Neobank’s fraud detection system had prevented £475 million in 2023.
Coinbase competitors Binance and Kraken said they were able to dodge similar social engineering attacks in recent weeks.
Coinbase CEO Brian Armstrong also posted a video to X last week, saying he received a $20 million “Ransom Note” in Bitcoin in exchange for those attackers who have not published any information they claimed to have obtained about Coinbase customers.
Zachxbt added on Thursday that the attackers began obfuscating stolen funds by swapping BTC with ETH in Thorchain, a venue often used by the notorious North Korean hacker Lazarus group.
“Major Wake Up Call”
Andy Zhou, co-founder of blockchain security firm BlockSec, told Coindesk that Coinbase should perform “a more stringent background checks on employees processing sensitive data” and set up “any strange activity alarms” that would suddenly download thousands of customer profiles.
Zhou added that Coinbase should have implemented some technical solutions. These include strict role-based access. This means privacy tools (for example, blurred ID photos) that allow employees to only see the data they need, or allow them to work without revealing raw details.
Nick Tausek, Swimlane’s leading security automation architect, told Coindesk that the violation should be a “major wake-up call” for robust insider threat detection.
“Withoutsourcing scale and operationality extends to time zones, insider threat detection and access governance is not an afterthought. A single insider with proper access, or in this case, a wrong incentive can puncture holes even with the most enhanced security posture.
However, not everyone is stacking up on Coinbase.
“It’s not a Coinbase issue, it’s a systematic vulnerability that has been plaguing crypto since day one,” said Matterfi CEO Michal Pospieszalk.
He argued that the nature of sending codes without mediation means that all platforms are one mistake from disaster.
Hackers need to design situations that allow users to trick them into sending funds in irreversible transactions. In the case of Coinbase, the attacker gained access to personally identifiable information from fraudulent employees.
According to Pospieszalsk, the issue of routes is that users don’t know if they’re sending funds to the right recipients, adding that Crypto runs on the “trust” model of identity verification, which is not sustainable.
What happens next?
Coinbase said it will voluntarily refund customers who lost funds during the violation and continue to work with law enforcement to capture the person responsible. But for users it’s a dark road.
The exchange said in a regulatory filing Wednesday that the violation affected 69,461 customers. The submission also noted that the violation occurred in December 2024 and was not discovered by Coinbase until May 15th.
These details are currently available online and may be available for sale on the dark web or on the shady telegram group. After the ledger violations, customer details were published on Raidforums, a challenging data sharing platform, increasing phishing attempts.
Unfortunately, Coinbase can’t do anything to prevent this leaked information from being shared, and affected users will try to put in as many safeguards as possible. These include changing your wallet, changing your exchange’s deposit address, and even changing your home address to avoid the risk of real-world robbery. Users with Social Security numbers leaked should also lock their credits to prevent identity theft.
That may be a hassle, but as we saw earlier this year when trying to lure ledger co-founder David Boland (and several other individuals over the past few weeks), criminals won’t stop until they withdraw the maximum amount of funds, even if it means giving them the brutal act of violence.
This also raises potential legal issues. Is Coinbase liable if Coinbase customers are robbed or assaulted for a data breach? The ledger failed to escape the class action lawsuit proposed earlier this year, and the plaintiffs argued that the ledger violated its privacy policy and should have taken steps to prevent it from being violated.
Crypto researcher Molly White pointed out that Coinbase would change its user agreement in April, adding two provisions, limiting class action lawsuits and demanding that a lawsuit be filed in New York.
Coinbase responded to Coindesk about White’s claims, saying that the exchange “notified the customer in advance” of changes to the user agreement, and that there was a class action waiver over “year.”
However, Coinbase did not comment on questions relating to whether violations are preventable or how to protect customers who may be exposed to the risk of future real-world robberies.
Read more: Market Reaction to Coinbase Hack ‘Overblown’ Says Analyst as SEC Probe Sinks Stock
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
