←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 3 comments | 15 May 25 15:52 UTC | HN request time: 0.961s | source
Show context
mafriese ◴[16 May 25 08:30 UTC] No.44003034[source]
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities

Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.

> •Name, address, phone, and email; •Masked Social Security (last 4 digits only); •Masked bank-account numbers and some bank account identifiers; •Government‑ID images (e.g., driver’s license, passport); •Account data (balance snapshots and transaction history); and •Limited corporate data (including documents, training material, and communications available to support agents).

This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet". My guess is that we will have a similar situation like we had with the Vastaamo data breach...

https://en.wikipedia.org/wiki/Vastaamo_data_breach

replies(4): >>44003213 #>>44003459 #>>44003599 #>>44013854 #
lm28469 ◴[16 May 25 08:59 UTC] No.44003213[source]
> •Name, address, phone, and email;\

> blackmail each individual user

Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.

replies(3): >>44003282 #>>44003329 #>>44003382 #
stringsandchars ◴[16 May 25 09:29 UTC] No.44003382[source]
This may seem callous, but isn't a large point of crypto that you are 'free' from the shackles imposed by the State?

And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.

replies(8): >>44003398 #>>44003450 #>>44003666 #>>44003691 #>>44003772 #>>44003902 #>>44004223 #>>44005823 #
lm28469 ◴[16 May 25 09:32 UTC] No.44003398[source]
The state takes a flat 30% tax on capital gains regardless of the source, I'd say they paid their fair share
replies(2): >>44003521 #>>44003914 #
maeln ◴[16 May 25 09:55 UTC] No.44003521[source]
Depends on if they cashed out and how they did it. There was a big trend for a while to go live in Portugal for a while, enough to be considered a tax resident there, and then cash out there because (at the time, idk if it's still true), they had no (or little) tax on crypto cash out.
replies(1): >>44004066 #
1. orwin ◴[16 May 25 11:29 UTC] No.44004066[source]
Yeah, I know two French people who did it (one of them avoided UK taxes as he was paid in crypto while working in the UK, the other it's muddier). I know three people in the space, and only those two were on the financial side, so to me, while Blockchain is still a legit tech, anybody using cryptocurrency I peg as a tax evader.
replies(1): >>44004272 #
2. csomar ◴[16 May 25 11:52 UTC] No.44004272[source]
Good thing we have courts, lawyers and judges for that. It’s funny everyone here hates on Trump but as soon as something align with their view, they want a defacto no due process application.
replies(1): >>44008259 #
3. orwin ◴[16 May 25 18:06 UTC] No.44008259[source]
Sorry if i implied anything, i must have missed part of the conversation, i was just confirming that did happen (taking the portugese residency to avoid crypto tax) a few years ago. In my opinion, police should protect even violent criminals from violence when possible, so of course i'm not advocating for anything to happen on tax "avoiders", and they should be protected. I was just stating that i know people in the crypto space, and if you are, i immediately peg you as a small-time sociopath from my past experience.

Also i don't care about them getting judged for tax evasion, i know they won't be and honestly, good for them. I also don't care for nonviolent thieves and think the same thing about them. Profiteering was not how i was raised, but i understand different people have different standards (and parents, luckily mine are great, it's not the case for everybody). People do what they need to do, i found some comportment sociopathic, but as long as it is nonviolent, i'm not mad.