Accusations that the cryptocurrency exchange 'Coinbase' where customer information was stolen had complained about the damage even before the news was released, but that the company had barely taken notice
In May 2025, cryptocurrency exchange Coinbase reported that its systems had been breached and customer data, including government-issued identification documents, had been stolen. Four months prior to the news release, a person alleged that they had been the victim of a fraud believed to be related to Coinbase, and that they had reported it to Coinbase, but that their report was largely ignored.
Coinbase Data Breach Timeline Doesn't Add Up: I Have Recordings & Emails Proving Attacks Started Months Before Their 'Discovery' - Jonathan Clark
coin-20250514
https://www.sec.gov/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm
On May 11, 2025, Coinbase received an email claiming to have obtained information about certain customers and internal Coinbase documents. The sender of the email demanded a ransom of $20 million in exchange for not disclosing the information.
According to Coinbase, the attackers had paid off several support employees to obtain inside information. Coinbase had been checking for evidence of employees accessing data not necessary for business purposes for several months prior to receiving the emails, and had issued warnings to relevant customers.
Based on this email, Coinbase stated that it believes the past attacks were part of a larger series of cyberattacks, and that it will report the attacks and cooperate with law enforcement in investigating them.
The stolen data included images of identification documents including driver's licenses, names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, and account data such as balances and transaction histories. Coinbase stated that it would not pay the $20 million ransom and would provide separate compensation to affected customers. The company also stated that it had immediately fired the employee who leaked the information and that it plans to file criminal charges in the future.
Major cryptocurrency exchange Coinbase refuses to pay ransom of approximately 2.9 billion yen despite customer data being stolen, with damages estimated to reach more than 60 billion yen - GIGAZINE
Regarding the Coinbase data breach, software engineer Jonathan Clark reported that he had been phished four months before the announcement.
According to Clark, on January 7, 2025, he received an email from Coinbase stating, 'We have initiated a withdrawal. A representative will contact you before completing the process.' A few minutes later, he received a phone call from someone claiming to be a 'Coinbase fraud prevention representative,' who told him, 'A large transfer has been initiated from your account, so we are calling to confirm.'
Not only did the person know Clark's personal information, but they also knew his account balance down to the decimal point. At first glance, it seemed like a genuine customer support representative, but Clark was suspicious and asked a few questions.
First, when Clark asked to prove he was from Coinbase, the caller recited his personal information. However, this alone is not trustworthy, as it could be stolen information. Next, when Clark asked to send an email from a verified email address, the caller replied that verified emails could not be sent.
According to Clark, the initial email was from the legitimate domain '@coinbase.com,' but was sent via Amazon Simple Email Service (SES) rather than Coinbase's own mail servers, meaning the attacker may have forged the sender's address.
Additionally, when Clark asked if he could call back, he was told, 'I work in the fraud department, so I can't contact you directly.' When Clark called back after the call ended, he was simply connected to Google Voice, a free phone service. This was also suspicious, as a legitimate financial institution would have a proper phone number.
Convinced by the information, Clark reported the details, including emails and phone recordings, to Coinbase that same day. The same day, Coinbase's head of trust and security responded, saying they were currently investigating the matter.
However, when Clark contacted Coinbase about a week later to ask how the attackers knew his account balance, he received no reply. He continued to press for a response over the next few days, but was completely ignored. Four months after Clark's report, Coinbase officially disclosed the data breach.
Clark criticized Coinbase's response, saying, 'If they had seriously investigated the matter from the beginning, based on my information, they may have discovered the threat sooner. Questions arise: When did the actual data breach occur? How many other victims reported similar attacks between January and May? Were those reports properly investigated? Would the data breach have remained undisclosed if the attackers had not demanded a ransom?'
Clark also advised, 'If any platform has suffered a data breach, it's possible that users' personal information is already in the hands of attackers. Even if someone claims to have your data, don't trust them. If you receive a phone call, be sure to hang up and call back using a number obtained from the company's official website. If you receive an email, check the 'headers' to confirm the sending server and authentication results. If you're unsure, ask ChatGPT or Claude if they have any warning signs that an email might be phishing. You can't undo a data breach, but you can reduce the chances of falling victim to a scam later.'
Related Posts:
in Note, Posted by log1p_kr