Coinbase (NASDAQ: COIN) refusal to pay a $20 million bitcoin ransom has laid bare systemic vulnerabilities

Coinbase's (NASDAQ: COIN) refusal to pay a $20 million bitcoin ransom has laid bare systemic vulnerabilities in its reliance on overseas contractors

Coinbase (NASDAQ:) encountered a sophisticated cybercrime operation in which criminals bribed customer support agents to provide sensitive data on 6,000 users, part of a broader years-long pattern of social engineering scams that have drained hundreds of millions of dollars from the exchange’s customers, multiple sources told Protos.

The criminals then used the stolen government IDs, Social Security numbers, and bank details to carry out phishing scams on users, aiming to steal their crypto. Less than 1% of Coinbase’s monthly users were affected by the breach, which began in early 2022.

After discovering the breach, and the potential private key theft, Coinbase was subject to a $20 million extortion attempt to cover up the incident, according to internal communications seen by Protos. But despite the size of the sum, and the potential legal and reputational fallout, Coinbase refused to pay.

Instead, Coinbase offered a $20 million bounty for information leading to arrests, a symbolic gesture that did little to quell investor unease, with COIN shares slipping 5% in premarket trading on Monday.

Coinbase also disclosed potential costs of $180 million to $400 million for reimbursing scammed customers and covering legal expenses, part of a broader $300 million to $400 million range of costs related to the incident, according to a company spokesperson.

Coinbase said the incident never involved exposure of private keys, login credentials, account or wallet access, or any means for the criminals to move customer funds themselves.

However, this incident is not an outlier but a symptom of Coinbase’s chronic security gaps and its reliance on overseas contractors for cost-cutting.

According to blockchain investigator ZachXBT, who has been tracking the scams since last year, Coinbase is losing around $300 million annually to social engineering scams, far more than rivals like Binance and Kraken.

In May alone, ZachXBT documented how $45 million was stolen through fraudulent recovery services impersonating Coinbase support, an enterprise-level scam that was enabled by lax third-party vetting.

Coinbase did not respond to a request for comment.

According to internal documents and conversations with former employees, who spoke on condition of anonymity due to nondisclosure agreements, the bribery began with a small number of customer support agents at an offshore contractor, exploiting minimal training and supervision.

“These support teams are often outsourced to India and the Philippines, where the focus is on handling high volumes of tickets quickly and efficiently, and the level of training and supervision can be minimal,” said a former compliance officer at a major crypto firm, who asked not to be named.

“In such a setting, it’s easier for bad actors to slip through the cracks and exploit any vulnerabilities they find.”

Beginning with low-level employees accepting bribes as small as a few thousand dollars, the criminals gradually gained access to more sensitive data and higher-level employees.

Finally, they reached a department head, who had access to a database with details on 6,000 users, part of less than 1% of Coinbase’s monthly users at the time.

To extort the exchange, the criminals planned to use the stolen data to create highly convincing phishing scams, impersonating Coinbase and aiming to steal remaining user funds.

After learning of the breach, Coinbase cooperated fully with authorities to conduct an investigation and identify the individuals involved in the scam.

The investigation, which is still ongoing, has led to the arrest of several individuals in different countries.

Coinbase is also continuing to notify affected users and offer them support.

In a statement, a Coinbase spokesperson said: “We have zero tolerance for any unlawful activity and are actively cooperating with authorities to pursue the harshest penalties possible against those involved in this incident.”

The spokesperson added that Coinbase is committed to maintaining the security of its platform and protecting the assets of its users.

“We take this responsibility very seriously and are constantly investing in new technologies and procedures to stay ahead of evolving threats,” the spokesperson said.

Coinbase’s growth-at-all-costs model, evident in its rapid expansion into new markets and services, has been a key focus for investors.

However, some critics argue that this focus on growth has come at the expense of security, as the company struggled to keep pace with the increasing sophistication of cybercriminals.

“Coinbase is a big target for scammers, and they’ve been hit hard by a variety of scams over the years,” said Taylor Monahan, a security researcher who has written extensively on crypto scams.

“The company has certainly been working to improve its security, but it’s an ongoing battle.”

Monahan said that the average weekend takeover of a crypto exchange now yields around $50 million in stolen user funds, showcasing the large-scale nature of the scams.

She also slammed Coinbase’s new in-wallet messaging feature as a “direct, encrypted line for scammers