Coinbase stock drops after data breach, extortion attempt

Coinbase, which will soon be the first crypto firm included the S&P 500, saw its stock drop Thursday after its report that an “unknown threat actor” obtained information about the firm’s customers and demanded $20 million in bitcoin to not release the data. 

The centralized exchange rejected the extortion attempt, but Coinbase estimated that it would pay between $180 million and $400 million to customers for the information exploit, according to a filing with the Securities and Exchange Commission. 

Coinbase intends to reimburse victims, such as retail customers who sent funds to malicious actors as a direct result of the breach, and has also put out a $20 million award for information that leads to the arrest and conviction of the malicious actors, a Coinbase blog post published on Thursday stated.

Coinbase CEO Brain Armstrong said the hackers targeted the company’s customer support system. “These attackers have been approaching our overseas customer support agents looking for a weak link, someone who would accept a bribe in exchange for sharing some customer information,” Armstong said in a video he posted on X detailing the incident.

Even though passwords and private keys were not compromised, the affected data includes names, addresses, phone numbers, emails, government ID images, account data, and the last four digits of customer’s social security numbers. The exploiters use this information “to conduct social engineering attacks where they can call our customers, impersonating Coinbase customer support and try to trick them into sending their funds to the attacker,” Armstrong added. 

The Coinbase incident is not the first time malicious hackers targeted the information of a crypto firm’s customers. 

In July 2020, Paris-based hardware wallet provider Ledger suffered a data breach that involved roughly 1 million customer email addresses, per a blog post published by the company. Though Ledger notified the CNIL, the French Data Protection Authority, and partnered with Orange Cyberdefense, a few months later Ledger announced that the compromised information was dumped on Raidforum, an online marketplace for cybercriminals to buy and sell hacked data. 

Omer Goldberg, founder and CEO of risk management firm Chaos Labs, told Sherwood News, “If your information was leaked, act quickly: enable two-factor authentication with a hardware key, not SMS, freeze your credit, and use a password manager for strong, unique passwords.” He continued, “Scrutinize every email for phishing attempts and avoid clicking links.”

The Coinbase breach highlights the risks of centralized exchanges collecting and holding sensitive customer data under the know-your-customer (KYC) and anti-money-laundering (AML) framework. Crypto users submitting personal data to financially regulated counterparties creates a honeypot for malicious hackers, Alex Svanevik, CEO and cofounder of blockchain analytics firm Nansen, told Sherwood. 

“As this incident shows, KYC/AML comes with a huge risk that personal data of innocent people gets compromised… If Coinbase hadn’t been forced via regulations to require personal data and documents from their customers, this would never have happened,” Svanevik said.

For Goldberg, the event helps strengthen the argument for decentralized exchanges where users can trade without revealing personal information. “It’s a valid angle. Centralized systems like Coinbase (and other Web2 institutions) are prime targets, and this hack shows the fallout,” he said.

Sage D. Young is a crypto journalist who’s written for CoinDesk and Unchained.