Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

The article keeps saying overseas employees or contractors, but isn't more specific on who Coinbase entrusted with this sensitive customer PII.

The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.

Not, "Gosh, 'overseas' people, what can ya do?"

Question that needs to be answered if they were prosecuted. Losing your job but getting to keep the bribe just means it will still happen.

It's probably hard to keep call-center workers bribe-proof.

Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.

Call center workers who have access PII and financial abilities should probably be vetted a little bit better.

Well, it sounds like they do implement greater security measures than most organizations.

How can customer support operate without knowing anything about the customer?

It’s not hard, it’s expensive.

Pretty sure all the Big Banks use call centers and manage to avoid this.

How are you going to vet people to find out if they're vulnerable to bribery? Offer them a bribe during their probationary period, during which they only have access to fake customer data?

They haven't:

https://www.americanbanker.com/news/call-centers-and-bank-br... "Call centers and bank branches are major fraud liabilities"

https://www.bai.org/banking-strategies/beating-crooks-at-cal... "Aite Group’s findings that 61 percent of fraud can be traced back to the [call] center are equally concerning, as is its prediction that contact center fraud loss will double by 2020."

You can do a background check, but the reality of the matter is that you pay citizens a living wage to do the work instead of offshore it into a country that pays pennies.

Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.

A shared or hashed secret would do it.

Plenty of exchanges don't know their customers, and in fact that is how they get their customers.

Isn't the whole point of crypto to keep PII out of it completely? If not, what is all this non-sense for exactly, other than the typical goals of pyramid schemes?

Bank tellers are constantly surveilled by cameras, security guards, and several-times-daily cash counting, and it's still easy to find accounts of them having stolen significant amounts of money before getting caught. These are all from within the last year:

Vannia Chatt: https://6abc.com/post/former-citizens-bank-teller-accused-st...

Karen Farrell Tigler: https://www.irs.gov/compliance/criminal-investigation/former...

Stephanie Rose Kilbert: https://people.com/bank-teller-stole-money-while-pretending-...

Derek Aut: https://www.justice.gov/usao-ma/pr/former-bank-teller-arrest... https://www.usatoday.com/story/news/nation/2025/03/28/boston...

Mountee Brown: https://www.justice.gov/usao-md/pr/maryland-bank-teller-plea...

Being US citizens doesn't make people incorruptible. In fact, many other countries are less corrupt than the US. Someone in this very thread reports having witnessed bank tellers getting bribed in one of those countries: https://news.ycombinator.com/item?id=43996765

I've been through a background check designed to screen out people who were vulnerable to bribery. They interviewed my friends and family from the previous several years to find out if I was secretly gay, cheated on my wife, gambled, drank too much, used illegal drugs, or had money problems for some other reason. It took about a year. I think it would be hard for a financial institution to be economically competitive doing that kind of thing with their call-center workers, because their customers can't tell if they're secure or not, just how much their services cost.

Unfortunately government regulation does not make that possible for exchanges. It also is not the point of crypto.

Bribes are one thing, but threats could also happen. This is a big part of the reason why I absolutely hate entities that think residential addresses should be public record.

This is a precedent to Coinbase employees getting physical threats at their door just because e.g. some voter registration, utility company, bank, credit card, or court record decided to release their name and addresses on the internet. People could show up at some Coinbase software engineers' apartment doors with guns demanding they send BTC to arbitrary addresses.

Coinbase is a bridge between digital currencies and the traditional world.

The main point of crypto IMO is to have a large-denomination bearer asset.

This is overlooked most places but if you examine around the time the FATF finally pretty much eliminated bearer bonds, bearer stocks, and large bank notes was exactly the time crypto really took off.

Not if you are dealing with a regulated exchange that facilitates fiat money transactions.

You can receive crypto privately to your own wallet without sharing PII, without any exchange.

[flagged]

No. Coinbase deals with fiat money, therefore subject to AML and KYC regulations.

AFAICT it's impractical to keep residential addresses 100% private/secure - too many ways to get an address from any number of companies, organizations and governments that collect it for various reasons.

Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.

Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.

Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.

That's not related to customer support, though. It's more like customer surveillance.

this? https://www.investopedia.com/terms/b/bearer-instrument.asp

The question was about customer support. AML and KYC regulations do not require that customer support persons know your PII. That can be kept firewalled from them.

You know how your bank asks you to verify details when you call?

Without the right details the customer support people don’t get entry into the customers account details.

Banks have been doing this for 30+ years..

> shutting down paid data brokers seems virtually impossible in practice

Just jail them. Make it a felony to release someone's PII without their written consent, and make data brokers illegal to begin with.

> numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit

These are not the main vector of transmission of personal information. Yes, Meta could probably do some graph analysis and infer this, but it's a lot of work, and their data leaks are rare in comparison to all the other companies, financial institutions, and governmental organizations, that freely post residential addresses on the internet and to data brokers for the world to Google.

> companies, organizations and governments that collect it for various reasons

KYC requiring addresses should be banned. Companies should not collect a residential address.

You are writing this as if you know what countries Coinbase's call centers are located in and the role of organized crime in their economies, but you don't actually know either of those things.

yes. IIRC ~2015 was when the last of bearer bonds/shares were pretty much all completely immobilized. I can't recall when the last ~1000 USD equivalent banknotes were printed but it was also close to that time.

Then shift liability and let the insurers take care of it.

With a lot of this online stuff, no matter who gets your password or access to your account it’s you who has to take care of it. Whereas if the bank teller steals from the till it’s not your problem.

CS can validate without knowing the details, the same way you don't enter a password and then check to see if that matches the password in the system.

The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!

Lol, that's because while Coinbase emphasizes its commitment to security and compliance specific details about the geographic distribution of its offshore personnel are not disclosed in its public filings.

> you pay citizens a living wage to do the work instead of offshore

But what about the capital class? How will they afford more yachts? So sad. They're.. um... job creators or something. Anyway, that's what Fox News told me.

My perspective was more "That's because you post contentious statements in public fora with no reason to believe that they are true, hoping to get a big reaction by offending people."

Man, I hate how Wisconsin makes the data not only public, but free.

I bought a house here after a long time out of country and the first year all I got for mail was scam bullshit. Loads of it.

I suggest following the links I provided, which clearly demonstrate that the comment you posted in reply to them is false.

You mean like in the USA?

> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.

https://abcnews.go.com/Politics/att-employees-bribed-1m-unlo...

Doesn't matter when Coinbase still got exploited

Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.

Not sure how bribing employees to unlock phones early is comparable to defrauding elderly people.

In a broad sense I agree, but it does matter to orionsbelt's comment.

We don’t know if they had access to everything. They got data for “less than 1% of monthly transacting customers”.

Yes but you can not give them a SQL prompt. Rate limiting account queries per CSR is a common mitigation measure.

They are probably used as scapegoats and didn't even leak the stuff. Crypto companies tend to do that.

The PII is required by governments, to convert crypto money into real money.

Bank tellers do steal money from the banks they work for though and banks invest a significant amount of resources and have a lot of policies to prevent it.

For example at many banks the teller might need to get manager approval for some cash withdrawals, even for seemingly smaller amounts of money. Despite what it may seem, it's not because of some distrust towards the client but a safeguard against internal fraud.

correct, but what's the alternative? they're paid peanuts because it's not exactly the kind of job you ever pay out the wazoo for. the only thing that comes to mind if I'm Brian Armstrong is going all in on AI bots that can get to 90% of the way there (maybe 95%) and then have domestic based humans that are paid more with (presumably) a less probability of being bribed. but realistically, the only way to stop something like this is going 100% AI bots but then that comes at the expense of customer satisfaction, and also bots that are exploitable through prompt manipulation.

alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"

Read my comment further:

> ..install malware and unauthorized hardware on AT&T's systems

That's not as harmless as unlocking phones early. A major carrier that has access to texts, geolocations, and call logs being hacked like that is extremely concerning.

You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.

Which is such a lame and flawed mechanism to avoid letting them access anyone's data. I mean what are you even trying to prove here? That banks care about customer's security when they can't even implement a secure 2FA which is not just an unencrypted text message

“Give a man a gun and he can rob a bank, but give a man a bank, and he can rob the world.”

Normally payment should follow the amount of power/responsibility. If you pay someone peanuts but they have root access to prod, then you should pay more or restrict their credentials. Same applies to being able to access PII.

It's hard to keep most people bribe proof.

It's simple. They want to centralize crypto and dickheads like armstrong are happy to be in line to make that happen. Just look at tether, what's the point of it? It's nothing but a front for inflating the price of bitcoin. It has NEVER been audited and has been found to NOT have any USD backing at all

This is a feature of bitcoin not a bug.

If you sling code for cryptocurrency you and your loved ones are "in the game" now.

https://www.bbc.com/news/articles/c20qee5030do

Coinbase has the same approach. It's a miracle that ransomware operators got in touch with Coinbase support at all.

> Coinbase didn't adequately secure sensitive customer information, and it was leaked

Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.

> what's the alternative?

Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.

Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.

Which is exactly why insider threats should be explored as a threat-model and mitigated to make the blast radius as small as possible via rate PII sanitization, access controls, access monitoring, rate limiting, etc.

The odds are already against their future viability after a breach like this and if they're fumbling the response this bad it really doesn't bode well for them.

They would have been better off not even bringing up their location if they weren't going to be transparent.

It would be pretty simple actually

>Go on LinkedIn

>Look up profiles of people who work at Coinbase

>Contact and bribe them with a burner account

> I mean what are you even trying to prove here?

That there are more options than holding your hands up and arguing the company couldn't have done anything further in terms of implementing effective controls.

This also wouldn't be particularly difficult to implement.

The fact that offshore support is allowed to access KYC information for US-based customers should be against some sort of regulation.

What Google does is “don’t resolve shit”. When I was a Google Fi customer paying $60-80/mo, so more than the vast majority of Google users, their customer support was completely useless (but at least polite, I’ll give them that). They did take their sweet time, kept promising to call me back after each fruitless call I initiated but didn’t, so you’re right about “it takes time to resolve” I guess.

My multiple banks’ customer service is meh but they do resolve problems and as far as I can tell, haven’t leaked any of my stuff yet in decades. That you think “what Google does” is better than “the banking model” is amusing.

Oh totally. I’m just defining the poles of the spectrums. Someone has to eat the cost, whether it be in friction and inconvenience or reimbursing fraud.

Where do you see blame, this is a fact and it's relevant.

If they didn't say this, there would be pitchforks out about not giving enough information.

Loss prevention is a big deal for employees, not just customers. People steal stuff from their employers ALL the time.

Which is what happened here, they didn't get 100% of data, only 1%.

You're probably wrong if you read more into this scenario.