Coinbase insider hack could cost crypto exchange $400m

Crypto exchange offers refunds for targetted customers after insiders were bribed to hand over details

Coinbase, the Nasdaq-traded crypto exchange, has admitted to a hack linked to employees and contractors based outside the US, bribed by attackers to provide inside information. The attack will cost the organisation up to $400 million following a promise to make good any funds stolen as a result of the attack.

“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks,” the company has admitted. “These insiders abused their access to customer support systems to steal the account data for a small subset of customers.”

No passwords, private keys or funds were directly compromised in the attack, but customers affected will be reimbursed by the company, it promised in a statement. “Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts.”

The company went on to explain how the attack worked: “Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than one per cent of Coinbase monthly transacting users.

“Their aim was to gather a customer list they could contact while pretending to be Coinbase – tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up,” the statement continued.

The attackers were able to acquire sufficient information to present a convincing front to the targetted customers. This includes names, contact details, ID images, account data and some limited (or “masked”) social security and bank account numbers.

The company sent out emails to affected customers, offering reimbursement, earlier this week. It has implemented extra safeguards on flagged accounts, such as additional ID checks on large withdrawals, opened a support hub in the US with extra security controls, and beefed-up insider-threat detection and automated response.

And, “instead of paying the $20 million ransom, we’re establishing a $20 million reward fund for information leading to the arrest and conviction of the attackers”, as well as working to trace stolen funds and, of course, working with law enforcement authorities in a bid to bring track down the attackers and bring criminal charges against them.

The insiders identified were sacked and their details referred to US and international law enforcement.

Coinbase has opted to limit its losses by going public on the attack as soon as possible, calculating that it will minimise the risk of customers whose accounts have been compromised from being taken in by social engineering attacks.

It is not yet known who is responsible for the attack, although it is not unknown for attackers to insert themselves into companies or projects to further their aims. Despite ever-more sophisticated hacking tools emerging, social engineering – in which hackers effectively act as confidence tricksters – remains a potent attack vector.