Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

It's probably hard to keep call-center workers bribe-proof.

Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.

Call center workers who have access PII and financial abilities should probably be vetted a little bit better.

Well, it sounds like they do implement greater security measures than most organizations.

It’s not hard, it’s expensive.

Pretty sure all the Big Banks use call centers and manage to avoid this.

How are you going to vet people to find out if they're vulnerable to bribery? Offer them a bribe during their probationary period, during which they only have access to fake customer data?

They haven't:

https://www.americanbanker.com/news/call-centers-and-bank-br... "Call centers and bank branches are major fraud liabilities"

https://www.bai.org/banking-strategies/beating-crooks-at-cal... "Aite Group’s findings that 61 percent of fraud can be traced back to the [call] center are equally concerning, as is its prediction that contact center fraud loss will double by 2020."

You can do a background check, but the reality of the matter is that you pay citizens a living wage to do the work instead of offshore it into a country that pays pennies.

Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.

Bank tellers are constantly surveilled by cameras, security guards, and several-times-daily cash counting, and it's still easy to find accounts of them having stolen significant amounts of money before getting caught. These are all from within the last year:

Vannia Chatt: https://6abc.com/post/former-citizens-bank-teller-accused-st...

Karen Farrell Tigler: https://www.irs.gov/compliance/criminal-investigation/former...

Stephanie Rose Kilbert: https://people.com/bank-teller-stole-money-while-pretending-...

Derek Aut: https://www.justice.gov/usao-ma/pr/former-bank-teller-arrest... https://www.usatoday.com/story/news/nation/2025/03/28/boston...

Mountee Brown: https://www.justice.gov/usao-md/pr/maryland-bank-teller-plea...

Being US citizens doesn't make people incorruptible. In fact, many other countries are less corrupt than the US. Someone in this very thread reports having witnessed bank tellers getting bribed in one of those countries: https://news.ycombinator.com/item?id=43996765

I've been through a background check designed to screen out people who were vulnerable to bribery. They interviewed my friends and family from the previous several years to find out if I was secretly gay, cheated on my wife, gambled, drank too much, used illegal drugs, or had money problems for some other reason. It took about a year. I think it would be hard for a financial institution to be economically competitive doing that kind of thing with their call-center workers, because their customers can't tell if they're secure or not, just how much their services cost.

[flagged]

You are writing this as if you know what countries Coinbase's call centers are located in and the role of organized crime in their economies, but you don't actually know either of those things.

Then shift liability and let the insurers take care of it.

With a lot of this online stuff, no matter who gets your password or access to your account it’s you who has to take care of it. Whereas if the bank teller steals from the till it’s not your problem.

Lol, that's because while Coinbase emphasizes its commitment to security and compliance specific details about the geographic distribution of its offshore personnel are not disclosed in its public filings.

> you pay citizens a living wage to do the work instead of offshore

But what about the capital class? How will they afford more yachts? So sad. They're.. um... job creators or something. Anyway, that's what Fox News told me.

My perspective was more "That's because you post contentious statements in public fora with no reason to believe that they are true, hoping to get a big reaction by offending people."

I suggest following the links I provided, which clearly demonstrate that the comment you posted in reply to them is false.

You mean like in the USA?

> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.

https://abcnews.go.com/Politics/att-employees-bribed-1m-unlo...

Doesn't matter when Coinbase still got exploited

Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.

Not sure how bribing employees to unlock phones early is comparable to defrauding elderly people.

In a broad sense I agree, but it does matter to orionsbelt's comment.

Yes but you can not give them a SQL prompt. Rate limiting account queries per CSR is a common mitigation measure.

Bank tellers do steal money from the banks they work for though and banks invest a significant amount of resources and have a lot of policies to prevent it.

For example at many banks the teller might need to get manager approval for some cash withdrawals, even for seemingly smaller amounts of money. Despite what it may seem, it's not because of some distrust towards the client but a safeguard against internal fraud.

correct, but what's the alternative? they're paid peanuts because it's not exactly the kind of job you ever pay out the wazoo for. the only thing that comes to mind if I'm Brian Armstrong is going all in on AI bots that can get to 90% of the way there (maybe 95%) and then have domestic based humans that are paid more with (presumably) a less probability of being bribed. but realistically, the only way to stop something like this is going 100% AI bots but then that comes at the expense of customer satisfaction, and also bots that are exploitable through prompt manipulation.

alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"

Read my comment further:

> ..install malware and unauthorized hardware on AT&T's systems

That's not as harmless as unlocking phones early. A major carrier that has access to texts, geolocations, and call logs being hacked like that is extremely concerning.

You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.

Normally payment should follow the amount of power/responsibility. If you pay someone peanuts but they have root access to prod, then you should pay more or restrict their credentials. Same applies to being able to access PII.

It's hard to keep most people bribe proof.

Coinbase has the same approach. It's a miracle that ransomware operators got in touch with Coinbase support at all.

> what's the alternative?

Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.

Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.

It would be pretty simple actually

>Go on LinkedIn

>Look up profiles of people who work at Coinbase

>Contact and bribe them with a burner account

The fact that offshore support is allowed to access KYC information for US-based customers should be against some sort of regulation.

What Google does is “don’t resolve shit”. When I was a Google Fi customer paying $60-80/mo, so more than the vast majority of Google users, their customer support was completely useless (but at least polite, I’ll give them that). They did take their sweet time, kept promising to call me back after each fruitless call I initiated but didn’t, so you’re right about “it takes time to resolve” I guess.

My multiple banks’ customer service is meh but they do resolve problems and as far as I can tell, haven’t leaked any of my stuff yet in decades. That you think “what Google does” is better than “the banking model” is amusing.

Oh totally. I’m just defining the poles of the spectrums. Someone has to eat the cost, whether it be in friction and inconvenience or reimbursing fraud.

Loss prevention is a big deal for employees, not just customers. People steal stuff from their employers ALL the time.