Most active commenters
  • (5)
  • suzzer99(4)
  • rsynnott(4)
  • panarky(3)
  • zamadatix(3)
  • cyanydeez(3)

←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 77 comments | 15 May 25 15:52 UTC | HN request time: 0.003s | source | bottom
Show context
modeless ◴[15 May 25 19:12 UTC] No.43998293[source]
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].

I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.

[1] https://www.youtube.com/watch?v=HNziOoXDBeg

replies(10): >>43998497 #>>43998546 #>>43998550 #>>43998551 #>>43998639 #>>43999013 #>>43999303 #>>43999425 #>>43999455 #>>44000073 #
1. panarky ◴[15 May 25 19:42 UTC] No.43998551[source]
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.

Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.

People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.

"Significant" in this case can be $10k or less.

Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.

Thanks to Coinbase that defense is now gone.

The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.

Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.

Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.

replies(12): >>43998696 #>>43998820 #>>43999011 #>>43999267 #>>43999315 #>>43999840 #>>44000135 #>>44000613 #>>44001088 #>>44001777 #>>44002734 #>>44004453 #
2. krunck ◴[15 May 25 19:56 UTC] No.43998696[source]
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
replies(3): >>43998827 #>>43999664 #>>44001205 #
3. zamadatix ◴[15 May 25 20:09 UTC] No.43998820[source]
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.

I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.

replies(4): >>43998860 #>>43998883 #>>44000012 #>>44000093 #
4. ◴[15 May 25 20:10 UTC] No.43998827[source]
5. Balgair ◴[15 May 25 20:14 UTC] No.43998860[source]
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.

Crypto? It's wild, and people think it's wild.

replies(2): >>43999682 #>>44000071 #
6. suzzer99 ◴[15 May 25 20:17 UTC] No.43998883[source]
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
replies(3): >>43998971 #>>43998977 #>>43999705 #
7. ◴[15 May 25 20:26 UTC] No.43998971{3}[source]
8. zamadatix ◴[15 May 25 20:27 UTC] No.43998977{3}[source]
Good point, perhaps the lower $ examples are about other countries where that may be a lot more than median transactional account holdings and maybe that concern is part of why folks were using crypto holdings.
9. suzzer99 ◴[15 May 25 20:31 UTC] No.43999011[source]
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency

https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...

replies(3): >>43999338 #>>44000987 #>>44001296 #
10. ClumsyPilot ◴[15 May 25 20:57 UTC] No.43999267[source]
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company

This story keeps repeating. Maybe we should try it and see if it works as a deterrent.

replies(2): >>44000119 #>>44000417 #
11. cyanydeez ◴[15 May 25 21:04 UTC] No.43999315[source]
"decentralized currency"
replies(1): >>43999348 #
12. kmfrk ◴[15 May 25 21:06 UTC] No.43999338[source]
Seems to be a whole thing in France too: https://www.theguardian.com/world/2025/may/04/french-police-....
replies(1): >>43999636 #
13. modeless ◴[15 May 25 21:07 UTC] No.43999348[source]
Bitcoin is plenty decentralized. Coinbase deals with dollars, that's the non-decentralized part.
replies(1): >>43999706 #
14. tsimionescu ◴[15 May 25 21:48 UTC] No.43999664[source]
I think that the right lesson to learn here is not "I should store my money with a company I can't trust not to advertise where I live, but without telling them where I live ".
15. cyanydeez ◴[15 May 25 21:50 UTC] No.43999682{3}[source]
of course, you need to point out that Crypto has ended up being indistinguishable from the banking system in all the important parts.

The distinguishing parts are things you don't want: easily corrupted, grifted, cheated and otherwise duped.

16. zardo ◴[15 May 25 21:52 UTC] No.43999705{3}[source]
> The median person does not have $10k sitting in a checking account that they can easily withdraw.

That's true, finding someone with 10k is not as easy as picking a person at random, but it is as easy as driving to the right parking lot and picking a person at random.

replies(1): >>44001383 #
17. cyanydeez ◴[15 May 25 21:52 UTC] No.43999706{3}[source]
so, the part that makes bitcoin useful to 99% of the people is the non-decentralized part.

Sounds like an appendix.

replies(1): >>44000178 #
18. aeternum ◴[15 May 25 22:08 UTC] No.43999840[source]
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?

This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.

replies(7): >>43999931 #>>43999986 #>>44000047 #>>44000085 #>>44000175 #>>44001234 #>>44003847 #
19. lavezzi ◴[15 May 25 22:19 UTC] No.43999931[source]
You don't think Coinbase is responsible for restricting access to member data for support agents?
20. panarky ◴[15 May 25 22:25 UTC] No.43999986[source]
The US Government didn't provide high-volume, bulk access to this extremely sensitive information to contractors in foreign countries with no controls over their ability to mass-exfiltrate the data.

Coinbase is the entity that set up this dangerous system.

Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.

Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.

The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.

replies(1): >>44000426 #
21. outworlder ◴[15 May 25 22:28 UTC] No.44000012[source]
The average American can't deal with a $1000 emergency.
replies(1): >>44011193 #
22. ◴[15 May 25 22:33 UTC] No.44000047[source]
23. koakuma-chan ◴[15 May 25 22:37 UTC] No.44000071{3}[source]
I tried to use Coinbase a few months ago to pay for something, and I couldn't even make a transaction because it was deemed suspicious, and my account got locked or something.
replies(1): >>44003853 #
24. ◴[15 May 25 22:40 UTC] No.44000085[source]
25. quickthrowman ◴[15 May 25 22:42 UTC] No.44000093[source]
Bank transactions are reversible, crypto transactions are not.

Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.

26. bobthepanda ◴[15 May 25 22:45 UTC] No.44000119[source]
It's worked before; Arthur Andersen ceased to exist after the Enron accounting scandal.
replies(1): >>44006296 #
27. beaned ◴[15 May 25 22:48 UTC] No.44000135[source]
They said less than 1% of users were affected.
replies(2): >>44000691 #>>44005013 #
28. ◴[15 May 25 22:55 UTC] No.44000175[source]
29. theossuary ◴[15 May 25 22:55 UTC] No.44000178{4}[source]
Only because of US law. It didn't have to be this way; the US wanted to destroy Bitcoin as a currency because it threatened their surveillance state, and they effectively have.
replies(2): >>44002662 #>>44006483 #
30. iambateman ◴[15 May 25 23:36 UTC] No.44000417[source]
So you’re saying that one year of complementary credit monitoring by Experian isn’t enough??? /s
31. aeternum ◴[15 May 25 23:38 UTC] No.44000426{3}[source]
Fair enough, and it does sound like they had limits given that not all customer data was exfiltrated but those limits were probably far too high at tens of thousands affected.
32. andy_ppp ◴[16 May 25 00:14 UTC] No.44000613[source]
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.

Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)

replies(4): >>44001405 #>>44002445 #>>44004187 #>>44010495 #
33. anon-3988 ◴[16 May 25 00:27 UTC] No.44000691[source]
probably the top 1%.
34. toomim ◴[16 May 25 01:23 UTC] No.44000987[source]
And this crypto CEO in Toronto was kidnapped for a $1M ransom: https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-bu...
replies(1): >>44001253 #
35. gxs ◴[16 May 25 01:43 UTC] No.44001088[source]
And yet, Coinbase goes Scott free

Someone, someone at that company should be going to prison for negligence

replies(2): >>44002452 #>>44003900 #
36. nradov ◴[16 May 25 02:03 UTC] No.44001205[source]
No one is forced to use a "crypto exchange" in the first place.
replies(1): >>44001711 #
37. nradov ◴[16 May 25 02:10 UTC] No.44001234[source]
There is no valid reason why Coinbase or any other financial services company should ever be excepted from AML/KYC laws. If anything the laws ought to be even tighter to slow down financial flows to criminals and sanctioned entities.
38. stonogo ◴[16 May 25 02:14 UTC] No.44001253{3}[source]
The parent post was someone literally hosting a crpyto conference, and this one was someone who runs a crypto company. A sibling story describes the father of a 'cryptocurrency influencer.' Is there any evidence of real crime happening which was targeted at Coinbase leak data, or is this just vibes
replies(1): >>44001441 #
39. MrApathy ◴[16 May 25 02:25 UTC] No.44001296[source]
"They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime." https://www.nytimes.com/2025/04/24/magazine/crybercrime-cryp... (gift article)
40. devman0 ◴[16 May 25 02:44 UTC] No.44001383{4}[source]
Pulling $10k out of the global banking system by physical coercion in a way that isn't reversible and won't get you caught is hard problem, you might as well attempt to rob the bank instead. That's why most of the "successful" criminals in that space use social engineering and scamming where the victim is a unwitting participant rather than kidnapping someone.

With crypto, no bank or other middleman involved, it's like stealing physical cash/gold/diamonds from someone, if you know they have it in their possession, so violence can be a lot more successful at coercing a change of possession.

41. ethbr1 ◴[16 May 25 02:49 UTC] No.44001405[source]
> I'm surprised at the lack of security if I’m honest

This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.

42. suzzer99 ◴[16 May 25 02:57 UTC] No.44001441{4}[source]
Well you start with the low-hanging fruit. Also I imagine these things take a while to plan.
replies(1): >>44004493 #
43. throwaway290 ◴[16 May 25 03:57 UTC] No.44001711{3}[source]
or cryptocurrencies
44. dachris ◴[16 May 25 04:12 UTC] No.44001777[source]
Why is this such an issue with crypto?

Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.

Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?

replies(3): >>44001997 #>>44003825 #>>44012159 #
45. sanswork ◴[16 May 25 05:05 UTC] No.44001997[source]
It happens with cash sometimes but people are limited to the amount they can get out of an ATM where with crypto you can force someone to hand over all their wealth with a few keystrokes.
46. hulitu ◴[16 May 25 06:46 UTC] No.44002445[source]
> Companies should seriously consider implementing GDPR even in the US

... and save the data in US cloud where everybody can access it.

It is really funny how FAANG can get away with data colkection in spite of GDPR.

replies(1): >>44003168 #
47. hulitu ◴[16 May 25 06:47 UTC] No.44002452[source]
> Someone, someone at that company should be going to prison for negligence

That's not how capitalism works. /s

48. enaaem ◴[16 May 25 07:27 UTC] No.44002662{5}[source]
No entity is obligated to enforce contracts in BTC. The real reason what makes a currency valuable.
49. disgruntledphd2 ◴[16 May 25 08:52 UTC] No.44003168{3}[source]
Yeah this is really frustrating, especially the way the EU commission keep coming up with workarounds that the court will almost certainly strike down.
50. rsynnott ◴[16 May 25 10:52 UTC] No.44003825[source]
If you're kidnapping a generic very rich person, how are you expecting them to pay the ransom, a big burlap sack of cash? There's a lot that can go wrong there. A bank transfer or other conventional financial instrument? Few criminals would be comfortable with that approach. (John Grisham novels, and 'Archer's beloved bearer bonds, aside, it's virtually impossible to make this untraceable). Magic internet money is presumably far less messy.

Also, a decent proportion of crypto-millionaires came by their riches in... not entirely above-board ways (in particular, securities fraud; all those pump and dump scamcoins are paying off for _someone_), and may be reluctant to involve the authorities. And the crypto industry as a whole is unusually comfortable with extortion; hacked crypto companies paying a kind of bounty to hackers to get the rest of the funds back is a common thing.

replies(1): >>44004173 #
51. rsynnott ◴[16 May 25 10:56 UTC] No.44003847[source]
Generally, staff do not have unfettered access to all customer data in most financial companies.
52. rsynnott ◴[16 May 25 10:57 UTC] No.44003853{4}[source]
Someone with a lot of cryptocurrency in Coinbase is also quite likely (at least relative to the average person) to have lots of on-chain cryptocurrency, too, though.
53. mlrtime ◴[16 May 25 11:06 UTC] No.44003900[source]
Can you point to a specific law that was broken where prosecutors have a chance at jail time, or is this a fantasy of yours?
replies(2): >>44004848 #>>44005354 #
54. csomar ◴[16 May 25 11:41 UTC] No.44004173{3}[source]
They can use their bank account to buy crypto and then pay the ransom. Kidnapping is a thing in latin america before crypto became cool.
replies(3): >>44004397 #>>44004408 #>>44004494 #
55. csomar ◴[16 May 25 11:43 UTC] No.44004187[source]
How would GDPR help in this case where the employees were bribed?
replies(1): >>44009440 #
56. rsynnott ◴[16 May 25 12:04 UTC] No.44004397{4}[source]
“Hey, cryptocurrency exchange, I, a random rich person, would like to, having never interacted with you before, buy a million dollars of bitcoin and transfer it out. Today, please.”

That is simply not going to happen.

replies(1): >>44006390 #
57. le-mark ◴[16 May 25 12:05 UTC] No.44004408{4}[source]
Companies do exactly this frequently to get their hacked servers and data decrypted.
58. _Algernon_ ◴[16 May 25 12:10 UTC] No.44004453[source]
How can I check if I am affected by this?
replies(1): >>44005064 #
59. normie3000 ◴[16 May 25 12:15 UTC] No.44004493{5}[source]
The point is, it didn't need a coinbase data breach to identify these victims - they're high profile, public users of crypto.
replies(1): >>44007068 #
60. sillystu04 ◴[16 May 25 12:15 UTC] No.44004494{4}[source]
> They can use their bank account to buy crypto and then pay the ransom.

This is actually more difficult than it sounds. Most banks and crypto exchanges won't allow a person to make meaningfully large crypto transactions without some account history.

61. morcus ◴[16 May 25 12:50 UTC] No.44004848{3}[source]
The comment said "should be" which you glibly interpret as "should be going to jail based on the law" but could very easily be "the law should be such that this kind of negligence results in jail time".
62. Peanuts99 ◴[16 May 25 13:05 UTC] No.44005013[source]
I thought this was 1% of user data, which could include names and addresses of all their members.
63. skybrian ◴[16 May 25 13:10 UTC] No.44005064[source]
If you were affected, you should have gotten an email yesterday.
replies(1): >>44005569 #
64. nkrisc ◴[16 May 25 13:35 UTC] No.44005354{3}[source]
I assume they mean that someone from the company going to prison for this would be a just outcome, not that a path to such an outcome exists today (it likely does not).
65. ne0flex ◴[16 May 25 13:54 UTC] No.44005569{3}[source]
I checked my email to see if I received anything and, interestingly, I received an email from Coinbase on April 14 that they're updating the User Agreement. The new terms only apply to disputes initiated by me or Coinbase after May 15, 2025. Timing seems suspect.
66. toyg ◴[16 May 25 14:58 UTC] No.44006296{3}[source]
They just morphed into Accenture.
replies(1): >>44008954 #
67. reisse ◴[16 May 25 15:06 UTC] No.44006390{5}[source]
Eh, million dollars would not raise a single eyebrow from an exchange side. Your bank, maybe, will have some questions about the transaction, but the things they can do to prevent you spending your money are thankfully fairly limited.
replies(2): >>44007171 #>>44009582 #
68. twosid3dDice ◴[16 May 25 15:15 UTC] No.44006483{5}[source]
Btc whales want to destroy the dollar because it benefits them.

Neither the dollar or crypto are anything but social illusions, neither have an inherent right to exist.

It’s just people manipulating people. Such an intellectually dishonest forum to sit here and discuss meaningless layers of obfuscation.

The most important thing to any individual is enough other humans around their own life isn’t so hard. Specific humans, like those on this forum, are not essential.

You all can bleat on as hard as you want about the existence of crypto but it’s not an evenly distributed belief. And your individual value is non existent to the majority on the planet. No reason to prop up your hallucinations

69. suzzer99 ◴[16 May 25 16:05 UTC] No.44007068{6}[source]
Right. But it's an example of what could be coming for coinbase whales.
70. panarky ◴[16 May 25 16:14 UTC] No.44007171{6}[source]
How long do you think it takes to create an account, get your KYC documents verified, get your trading and withdrawal limits raised to a million or more, transfer funds from your brokerage account, buy tokens and then re-verify when you try to transfer the tokens out of the exchange?

You'd be lucky to complete this in less than a week.

replies(1): >>44010880 #
71. bobbruno ◴[16 May 25 19:23 UTC] No.44008954{4}[source]
Actually the split between Arthur Andersen and Andersen Consulting (which later became Accenture) happened years before the Enron thing.
72. baobun ◴[16 May 25 20:17 UTC] No.44009440{3}[source]
Internal segregation. If inplemented properly perhaps these specic employees wouldnt have access to all that data in the first place.
73. jokethrowaway ◴[16 May 25 20:36 UTC] No.44009582{6}[source]
My experience with banks in UK / EU is that they will bother you for much smaller amounts than 1M. I had banks bother me for 10k transfers and other banks completely ignore me for 100k transfers.
74. Aloisius ◴[16 May 25 22:49 UTC] No.44010495[source]
> How does Coinbase protect data in transit and data at rest?

> Coinbase employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Coinbase encrypts all confidential data transfers to prevent interception or tampering of that data by unauthorized third parties.

Coinbase does business in the EU and thus, already has to comply with the GDPR. Moreover, the US also requires safeguards for sensitive customer information by financial services companies.

75. toomim ◴[17 May 25 00:01 UTC] No.44010880{7}[source]
It takes about 3 days on kraken. Much less than a week.
76. zamadatix ◴[17 May 25 00:56 UTC] No.44011193{3}[source]
Maybe they wouldn't be able to cover other planned expenses with said loss or something but the median (I intentionally avoid referring to "average" for reasons also mentioned in this article) amount American have access to in their transactional bank accounts is $8,000 according to the Federal Reserve: https://www.fool.com/money/research/average-savings-account-...

Someone else made a great mention though: Coinbase didn't just serve the US. For the vast majority of countries these amounts are more than the yearly disposable income of a typical household. From that angle the numbers in the stories make a bit more sense.

77. cwilkes ◴[17 May 25 05:05 UTC] No.44012159[source]
Scammers attract scammers?