The highly organized violation last week of the exchange of cryptocurrency Coinbase (Coin) has left more questions than answers.
While some welcomed Coinbase’s response as a “very good example” in the treatment of a crisis, the violation has now caused a potentially massive confidentiality problem which reflects the violation of data from the big book in 2021 – which led to a wave of real flights because the criminals were able to obtain names and addresses of crypto. Coinbase has already admitted that its customers may have lost almost half a billion US dollars because of its violation.
Cybercriminals have accessed Coinbase user data by welding and convincing Coinbase employees to share this data, but it was entirely avoidable, according to many experts who spoke in Coindesk.
“A lower security system would make theft of data technically impossible, but Coinbase clearly did not prioritize these measures, leaving the door wide open,” said Andy Zhou, co-founder of the blockchain security company, blocksec at Coindesk.
Allowing these criminals to access personal data, whether by hacking or, in this case, social engineering, is a major burned on a scholarship that facilitates billions of dollars in volume every day. The breach has created a myriad of problems, including confidentiality and user confidence. How could Coinbase, a listed company on the stock market, allow attackers to steal personal information and money through the front door? And could he have been prevented?
The CEO of Hackett Communications, Heather Dale, praised Coinbase’s response as “masterclass in communication”, but the Coinbase method to solve the problems was simple: to throw as much money as possible.
The exchange offered a bug bonus of $ 20 million for anyone who has declared information that would cause arrest or proceedings. He also undertook to voluntarily reimburse the impacted users between $ 180 and $ 400 million.
What happened?
Before analyzing the benefits of the violation, it is important to understand how the violation occurred in a listed company which spends millions of dollars per month in security infrastructure.
In February, the ZachXBT chain Sleuth reported an increase in flights involving Coinbase users. He said it was “the result of aggressive risk models [million] per year to social engineering scams. »»
The fear that cybercriminals are flying hundreds of millions of dollars have become a reality last week when Coinbase published a blog article revealing that the account sales, government identity images, telephone numbers, addresses and details of the masked bank account have been stolen.
Unlike other hacks and violations, which involve attackers exploiting a defective back -end, these attackers entered through the front door – communicating directly with Coinbase employees and buying access to information via lampshades. Coinbase said he had dismissed all employees responsible on the spot, although he did not reveal the method he used to find those responsible in the blog post.
The problem, however, is not limited to crypto. In 2022, the Revolut digital bank confirmed that 50,000 customer data sets had been stolen, while a year later, the Robinhood negotiation platform had up to 5 million E-mail leaks. The latter was sentenced to a fine of $ 45 million per sec following the violation after emerging that part of the customers had their accounts wiped by the attackers.
The BBC reported in October that a private revolut user had lost £ 165,000 ($ 220,000) following a data violation and that the Neobank fraud detection system prevented 475 million pounds sterling of fraudulent transactions in 2023.
Coinbase competitors Binance and Kraken said they had managed to postpone similar social engineering attacks in recent weeks.
CEO of Coinbase, Brian Armstrong, also published a video on X last week, declaring that he had received a “ransom note” for $ 20 million in Bitcoin in exchange for these attackers who do not publish certain information that they have allegedly obtained on Coinbase customers.
Zachxbt added Thursday that the attackers began to obscure the stolen funds by exchanging BTC against Eth on Thorchain, a place often used by the infamous North Korean group Lazarus.
“ Major-appel du Réveil ”
Andy Zhou, co-founder of the security company Blockchain, Blocksec, told Coindesk that Coinbase should have carried out “checks of the more strict history on employees giant sensitive data” and set up “alarms for a strange activity” as someone who suddenly downloads thousands of customer profiles.
Zhou added that Coinbase should have implemented several technical solutions. These include strict access based on roles, which means that employees see only the necessary data or confidentiality tools which allow to work without exposing the raw details (for example, the blundering identification photos).
Nick TAUSEK, the main architect of security automation in Swimlane, told Coindesk that the violation should be a “major awakening” for a threat detection of robust initiates.
“While scales and outsourcing operations extend over time zones, detection of initiates threats and access governance cannot be after this meaning.
However, not everyone accumulates on Coinbase.
Michal Pospieszalk, CEO of Matterfi, said that it is not a problem of Coinbase, it is a systemic vulnerability that has tormented the crypto since the first day. “”
He argued that the nature of sending crypto without intermediaries means that all platforms are a faux step of the disaster.
Pirates must design a situation that can encourage users to send their funds to an irreversible transaction. In the case of Coinbase, the attackers had access to personally identifiable information from a thug employee.
The root problem, according to Pospieszalsk, is the problem of users not knowing if they send funds to the right recipient, adding that Crypto works on a model of verification of the identity “Crute-moi, Bro” and it is not durable.
What happens next?
Coinbase said that this would voluntarily reimburse customers who lost funds during the violation and would continue to work with the police to capture the officials. But for users, it’s a darker road.
The exchange said in a regulatory file on Wednesday that the violation had had an impact on 69,461 customers. The file also noted that the violation had taken place in December 2024 and was only discovered by Coinbase on May 15.
These details are now available on the internet and can even be for sale on the Dark web and in shaded telegram groups. After the violation of the big book, the client’s details were published on Raidforums, a harmful data sharing platform, which led to an increase in phishing attempts.
Unfortunately, Coinbase can do nothing to prevent the sharing of this disclosed information, letting the users concerned try to achieve as many guarantees as possible. These include modifying the portfolios, modifying the addresses of deposit on exchanges and even modifying domestic addresses to avoid the risk of real flights. Users whose social security numbers have been disclosed should also lock their credit to prevent identity theft.
It can be heavy, but as we saw earlier this year during the attempted removal of the co-founder of the Grand Book David Balland (and several other people in recent weeks), criminals will not stop before they extract the maximum amount of funds, even if it means inflicting brutal acts of violence.
This also raises a potential legal issue: if a Coinbase client were to be stolen or attacked due to the data violation, would Coinbase be responsible? Ledger did not escape a project of collective appeal earlier this year, the complainants alleging that Ledger had violated his privacy policy and should have put in place measures to prevent violation.
Crypto Molly White’s Crypto Researcher also stressed that Coinbase had changed his use agreement in April, adding two clauses limiting collective appeals and demanding that prosecution be deposited in New York, the modifications being applied on May 15, the same day that the violation was announced.
Coinbase responded to Coindesk about White’s claims, declaring that the exchange had “informed customers well in advance” of the change of the user contract and that it had a dispensation of collective appeal in place for “years”.
Coinbase, however, did not comment on the questions related to the question of whether the violation was avoidable or how it will protect customers who could be at risk of real flights in the future.
Read more: Market reaction to Coinbase Hack “ Overblown ”, analysts say as dry probe enigma
