Coinbase confirms insiders handed over data of 70K users
(2025/05/21)
- Reference: 1747848913
- News link: https://www.theregister.co.uk/2025/05/21/coinbase_confirms_insider_breach_affects/
- Source link:
Coinbase says the data of nearly 70,000 customers was handed over by overseas support staff who were bribed by criminals to give up the goods.
The crypto giant confirmed 69,461 users would be receiving direct communications from the company about the attack in a notification filed with Maine's Attorney General on Tuesday.
According to the [1]filing , the breach took place on December 26, 2024, but wasn't discovered until May 11.
[2]
Coinbase publicly acknowledged the attack via a [3]Form 8-K filing with the Securities and Exchange Commission (SEC) on May 15, adding that the crooks behind it tried extorting the company for $20 million.
[4]
[5]
Much of the information included in the sample letter to affected individuals restated info given in the earlier SEC filing, including the data types potentially stolen.
To recap, these were:
Names
Addresses
Phone numbers
Email addresses
Last four digits of Social Security Numbers
Masked bank account numbers and some bank account identifiers
Images tied to government IDs such as passports and driving licenses
Coinbase account data including balance snapshots and transaction histories
"Limited corporate data," including documents, training material, and communications available to support agents
"This information did not include your password, seed phrase, private keys, or any other information that would allow someone to directly access your account or your funds, and Coinbase Prime was untouched," the letter read.
Overseas support staff involved in facilitating the data theft had all been fired, Coinbase confirmed. It is not known how much they were paid.
[6]
Coinbase has also not yet specified which country the support staff worked from, although active job boards show some support roles for the massive US cryptocurrency exchange are based in the UK, Ireland, India, the Philippines, and Japan.
The expected cost of remediating the attack stands between $180 million and $400 million, Coinbase said in its SEC filing, although the full extent of the damage is still being investigated.
CEO Brian Armstrong released a video to social media apologizing to customers for the impact on them and promised to pursue all avenues available to the company to bring those responsible to justice.
[7]
This included setting up a $20 million bounty for information that could lead to the attackers' arrest and conviction.
[8]Scattered Spider snared financial orgs before targeting shops in Britain, America
[9]Coinbase extorted for $20M. Support staff bribed. Customers scammed. One hell of a SNAFU
[10]That massive GitHub supply chain attack? It all started with a stolen SpotBugs token
[11]FYI: This site claims to have harvested 4B+ Discord chats, today all yours for a price
Coinbase said it would be "making customers whole" as it is aware that some customers were successfully socially engineered by the attackers using the data stolen via the support staff.
To that end, customers who haven't yet been targeted were advised to remain vigilant against potential further criminal activity and targeting, as well as upping the security of their accounts.
Implementing protections such as strong 2FA (hardware keys are the preferred choice here) and Withdrawal Allow Listing – a setting that allows withdrawals only from wallets explicitly trusted by the user were also encouraged.
Affected customers were offered one year of identity protection and credit monitoring services through IDX, which is standard practice following such events. Instructions on how to claim this are included in the letters Coinbase sent to users. ®
Get our [12]Tech Resources
[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/f61fae18-f669-499e-9a87-f4d323d281f8.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/000167978825000094/coin-20250514.htm
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/
[9] https://www.theregister.com/2025/05/15/coinbase_extorted_for_20m_support/
[10] https://www.theregister.com/2025/04/07/github_supply_chain_attack/
[11] https://www.theregister.com/2024/04/16/discord_network_sale/
[12] https://whitepapers.theregister.com/
The crypto giant confirmed 69,461 users would be receiving direct communications from the company about the attack in a notification filed with Maine's Attorney General on Tuesday.
According to the [1]filing , the breach took place on December 26, 2024, but wasn't discovered until May 11.
[2]
Coinbase publicly acknowledged the attack via a [3]Form 8-K filing with the Securities and Exchange Commission (SEC) on May 15, adding that the crooks behind it tried extorting the company for $20 million.
[4]
[5]
Much of the information included in the sample letter to affected individuals restated info given in the earlier SEC filing, including the data types potentially stolen.
To recap, these were:
Names
Addresses
Phone numbers
Email addresses
Last four digits of Social Security Numbers
Masked bank account numbers and some bank account identifiers
Images tied to government IDs such as passports and driving licenses
Coinbase account data including balance snapshots and transaction histories
"Limited corporate data," including documents, training material, and communications available to support agents
"This information did not include your password, seed phrase, private keys, or any other information that would allow someone to directly access your account or your funds, and Coinbase Prime was untouched," the letter read.
Overseas support staff involved in facilitating the data theft had all been fired, Coinbase confirmed. It is not known how much they were paid.
[6]
Coinbase has also not yet specified which country the support staff worked from, although active job boards show some support roles for the massive US cryptocurrency exchange are based in the UK, Ireland, India, the Philippines, and Japan.
The expected cost of remediating the attack stands between $180 million and $400 million, Coinbase said in its SEC filing, although the full extent of the damage is still being investigated.
CEO Brian Armstrong released a video to social media apologizing to customers for the impact on them and promised to pursue all avenues available to the company to bring those responsible to justice.
[7]
This included setting up a $20 million bounty for information that could lead to the attackers' arrest and conviction.
[8]Scattered Spider snared financial orgs before targeting shops in Britain, America
[9]Coinbase extorted for $20M. Support staff bribed. Customers scammed. One hell of a SNAFU
[10]That massive GitHub supply chain attack? It all started with a stolen SpotBugs token
[11]FYI: This site claims to have harvested 4B+ Discord chats, today all yours for a price
Coinbase said it would be "making customers whole" as it is aware that some customers were successfully socially engineered by the attackers using the data stolen via the support staff.
To that end, customers who haven't yet been targeted were advised to remain vigilant against potential further criminal activity and targeting, as well as upping the security of their accounts.
Implementing protections such as strong 2FA (hardware keys are the preferred choice here) and Withdrawal Allow Listing – a setting that allows withdrawals only from wallets explicitly trusted by the user were also encouraged.
Affected customers were offered one year of identity protection and credit monitoring services through IDX, which is standard practice following such events. Instructions on how to claim this are included in the letters Coinbase sent to users. ®
Get our [12]Tech Resources
[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/f61fae18-f669-499e-9a87-f4d323d281f8.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/000167978825000094/coin-20250514.htm
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC5M--sJ7udKQ62d59-4mwAAAUo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/
[9] https://www.theregister.com/2025/05/15/coinbase_extorted_for_20m_support/
[10] https://www.theregister.com/2025/04/07/github_supply_chain_attack/
[11] https://www.theregister.com/2024/04/16/discord_network_sale/
[12] https://whitepapers.theregister.com/
Beyond stupid
Anonymous Coward
"Images tied to government IDs such as passports and driving licenses"
There should be laws preventing companies from storing such biometric data for longer than is necessary to confirm a customer's identity.
Re: Beyond stupid
Claptrap314
There should be, but if you've started a remote job in the last five years, you would know that the US Government REQUIRES you to upload these same documents. Same thing if you try to file your taxes directly with the IRS.
Re: Beyond stupid
IGotOut
biometric data for longer than is necessary to confirm a "customer's identity."
Which can be several years in many cases.
direct communications
captain veg
> The crypto giant confirmed 69,461 users would be receiving direct communications from the company
Right.
I get many "direct communications" from, among others, spammers, scammers and generally opportunistic criminals. Which I ignore. Fortunately I'm not hanging on for some word from a "coin" merchant.
-A.
I would be very worried if I was on that list and held a lot of crypto
DS999
You might get people breaking into your house threatening to kill you unless you transfer your crypto to them. If you no longer have as much (because you sold some or whatever) good luck getting them to believe you!
crypto bros
...and I'll do it again uhuhuhuhuh...