Nasdaq-listed crypto currency exchange Coinbase has suffered a serious security incident in which customer data was stolen, ending up in the hands of criminals demanding a US$20 million dollar ransom.
Coinbase, which sees trading volumes of between US$3.25 billion to US$4.4 billion daily as the largest exchange in the United States, said criminals "bribed and recruited a group of rogue overseas support agents" to steal data from it.
The stolen data was to be used "to facilitate social engineering attacks."
The crypto exchange said it won't pay the ransom, and has instead set up a US$20 million reward fund for information leading to the arrest and conviction of the criminals in question.
Less than one per cent of data for Coinbase monthly transacting users was taken, but the attackers got some sensitive information such as names, addresses, phone numbers and email addresses.
They were also able to obtain government identification images such as driver's licenses and passports, account data with balance snapshots and transaction history.
Limited corporate data was also taken, along with a small number of customers' United States social security numbers and bank account numbers, which were masked so only the last digits were visible.
No private digital keys, login credentials, or two-factor authentication codes were taken. Nor could the criminals move or access customer funds, Coinbase Prime accounts, or any of the exchange or customer hot or cold wallets.
Customers who are tricked into sending funds to the attackers will be reimbursed, Coinbase said.
Coinbase also notified the US Securities and Exchange Commission (SEC) that the cost of the attack could be anywhere from US$180 million to US$400 million; "relating to remediation costs and voluntary customer reimbursements relating to this incident, prior to further review of potential losses, indemnification claims, and potential recoveries, which could meaningfully increase or decrease this estimate."
The attack follows the SEC dropping a Coinbase case in February this year, after the Trump administration took charge.
However, Coinbase this week confirmed that the SEC has been investigating the exchange for misstating its user numbers.
Coinbase denies any wrongdoing, and says the investigation is a hold-over from the Biden administration, over a metric it stopped reporting two and a half years ago.
5 Comments
Well, at least it is good to see someone in US law enforcement is still on the job!
Doubt that will last very much longer.
That AI image suggests to me that AI has been watching too many Hollywood "computer" movies.
Healty and safety nightmare with those cables all over the floor and poor lighting 😁
Another stark reminder that KYC is the real illicit activity. Governments force companies to collect sensitive data like home addresses—not for safety, but for surveillance. There's no ethical reason to need someone’s address just to do business with them. It’s a regulatory moat that protects incumbents and exposes everyone to hacks, leaks, and abuse.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.