Coinbase Global said hackers bribed contractors or employees outside the U.S. to steal sensitive customer data and then demanded a $20 million ransom. The cyber attack was one of the most high-profile security breaches of a crypto trading platform.
The largest U.S. crypto exchange said it won't pay the ransom and estimated the incident could cost the San Francisco-based firm up to $400 million to remedy.
Criminals had offered cash to Coinbase customer support agents to copy customer data like names, addresses, account data and government ID images, the exchange said in a
Less than 1% of the exchange's monthly transacting users were affected, Coinbase said.
In addition to ramping up security controls for those affected, Coinbase said it would reimburse in full anyone who lost money. The exchange also said it is offering a $20 million bounty to anyone with information leading to the attackers' arrest and conviction.
The incident comes as Coinbase is set to join the S&P 500 index next week. Inclusion in the benchmark is becoming more important for companies in a world dominated by passive investment funds, wrapping Coinbase's stock into numerous trackers following the index. Coinbase shares slipped more than 3% in pre-market trading on Thursday.
Based on the information currently available, Coinbase said preliminary estimates suggested it would face between $180 million and $400 million in "remediation costs and voluntary customer reimbursements" relating to the incident, according to
Coinbase's hackers deployed what's called a social engineering attack — where criminals use people to gain unauthorized access to data, rather than exploiting flaws in computer code. This type of threat has become popular in crypto, resulting in recent major incidents like the
On May 11, an unknown attacker emailed Coinbase to say it had obtained customer information and some internal Coinbase documentation, the exchange said in the filing. They demanded $20 million in Bitcoin in order not to go public with the fact that they'd got their hands on such data, Coinbase Chief Executive Officer Brian Armstrong added, speaking in a
In the months leading up to that email, Coinbase had already detected instances of customer support agents collecting information about internal Coinbase systems without needing it for their job. Upon discovery, those workers were terminated, and Coinbase said it warned customers who may have been affected. When the May 11 email appeared, Coinbase determined these workers had been part of a single campaign orchestrated by the hacker to steal that data.
"These attackers have been approaching our overseas customer support agents, looking for a weak link, someone who would accept a bribe in exchange for sharing some customer information with them," Armstrong said in the video. "Unfortunately, they were able to find a few bad apples."
Coinbase said earlier this year that it
Data breaches and cybersecurity remain problems for financial institutions. Aspire USA, which provides software services to money service businesses,
Aspire and its parent companies, Valsoft and AllTrust, could not determine which specific files the threat actor stole, according to the disclosure. The companies also did not disclose how exactly the threat actor gained access to Aspire's system.
