39 comments

[ 4.1 ms ] story [ 49.1 ms ] thread
In January 2025, I was targeted by scammers who knew my exact Bitcoin balance, SSN, DL, and other private Coinbase account details. I immediately reported this to Coinbase's Head of Trust & Safety with recordings and technical evidence. Despite repeated follow-ups asking how attackers had my data, Coinbase went silent for 4 months. They only disclosed the breach in May after attackers demanded $20M ransom. The breach involved overseas contractors at TaskUs being bribed for customer data. This article documents the timeline with emails, recordings, and evidence showing Coinbase was aware of the breach months before their official "discovery" date.
Thanks for sharing it, however I have an unrelated comment.

Maybe I am in minority here but just wanted to provide this feedback: The background animation of the blog page is really distracting and making it difficult to focus on the actual content.

Isn't there a new law from the Biden era that forces a company disclose breaches to their customers and the SEC within a few weeks ?

If so and if the US had a sane administration maybe, this would be acted upon, but these days, anything goes as long as you 'donate' to the ballroom.

Wild tale, but very annoying that he wrote it with an AI. It's horribly jarring to read.
The page background slowly fades in and out with a blue color. At first I thought my eyes were playing tricks on me.
Here's a Reuters report from June 2, which includes a link to a May 14 SEC filing:

> Cryptocurrency exchange Coinbase knew as far back as January about a customer data leak at an outsourcing company connected to a larger breach estimated to cost up to $400 million, six people familiar with the matter told Reuters.

https://www.reuters.com/sustainability/boards-policy-regulat...

> On May 11, 2025, Coinbase, Inc., a subsidiary of Coinbase Global, Inc. (“Coinbase” or the “Company”), received an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems.

https://www.sec.gov/Archives/edgar/data/1679788/000167978825...

Once did some programming/networking work for a company that did the networking of a office sharing building that Coinbase was running out of. Early in my work there I noticed that the company had its admin passwords written on a whiteboard -- visible from the hallway because they had glass for walls. So I sent them an email to ask that they remove it (I billed them for it).

Their fix was to put a piece of paper over the passwords.

What a time.

That is a great ancedote.

Not saying it is untrue, but it is definitely true that Coinbase has never lost customer funds while operating in an environment with 0 safety nets and being one of the most lucrative targets.

This leak over customer data suggests that they should treat that with as much obsession as they do with their private keys.

I very much doubt the veracity of this claim. I worked at Coinbase for many years and this runs completely afoul of the culture there.

Even leaving your laptop unlocked for seconds in the office would have someone /pwn it in slack and get flagged by security.

If there’s one thing they took extremely seriously it was data security.

You're misreading my post with Coinbase-tinted glasses. My post is about the building that Coinbase operated out of. Not Coinbase itself.
Has anyone demonstrated that agentic AI systems can be bribed with money, or is that vulnerability still strictly relegated to unrealiable, untrustworthy biological intelligence?
I got rung in the UK I think a month ago from someone claiming to be from Coinbase. I told them I only had about £5 of Bitcoin cash in my account (which was true), and they immediately lost interest and said a forthcoming email would handle the matter.

They also asked if I had cold storage. I told them I had a fridge (also true).

An elderly friend of mine has been receiving Coinbase security alerts. Needless to say, she has never used the site and has no crypto.
FWIW, this is why "not your keys, not your coins."

Coinbase is good for on-ramping, bad for storage. You know, the entire point of cryptocurrency.

This is an extremely clickbaity headline.

The "recordings" are of a phisher attempting to get information from the author. It proves nothing about what Coinbase knew.

The author turned the information over to Coinbase, but that doesn't prove Coinbase knew about their breach. The customer could have leaked their account details in some other way.

The article seems to be written by AI and goes into lots of details none of which is about how Coinbase knew about this.
We use Coinbase as an org, we were targeted in early Feb 2025. Caught by person handling the accounts who is paranoid enough to reach out to the org contact on the other side.
My Coinbase account got caught up in this and I'm so glad I used something like coinbase_jridi46@example.com as my email address with them because emails to that address can be treated as hostile in the wake of the breach. if I'd just used coinbase@example.com as my email address with them, I'd be fucked.
Interesting timeline, but nothing here proves, or even strongly indicates, that Counbase “knew about the breach” from this one report.

Screenscraping malware is fairly common, and it’s not unreasonable for an analyst to look at a report like this and assume that the customer got popped instead of them.

Customers get popped all the time, and have a tendency to blame the proximate corporation…

Not sure if the op is reading, but I also detected the same Coinbase hack around the same timeline. From what I can tell, literally everything was compromised because even their Discord channel's api keys were compromised and were finally reset around April or May. This means their central secrets manager was likely compromised too.
This doesn't seem like proof to me.

The author got a phishing call and reported it. Coinbase likely has a deluge of phishing complaints, as criminals know their customers are vulnerable and target their customers regularly. The caller knowing account details is likely not unique in those complaints; customers accidentally leak those all the time. Some of the details the attacker knew could have been sourced from other data breaches. At the time of complaint, the company probably interpreted the report as yet another customer handling their own data poorly.

Phishing is so pervasive that I wouldn't be surprised if the author was hit by a different attack.

I don't know if ive gotten calls (I frequently dont answer if I dont have the contact saved), but ive gotten coinbase phasing emails for years. Its certainly not a new thing. The attacker might just be tracking the transactions on chain.
The entire web3 scene is a clusterfuck filled with scammers. Recently i got hacked by web3 interview which is a common vector nowadays.

They send github repo and as soon as you run it they send rejection after stealing tokens and installing keylogger. Pretty sophisticated and the frontend of the codebase looked polished as well.

Coinbase froze everyone's accounts (to prevent a selloff) while cashing in on insider knowledge that they were going to start supporting Bitcoin Cash. Then as soon as they sold off and the market dipped, they unfroze everyone's account. But instead of being in jail, they just keep getting away with it.
You (and everyone else ostensibly affected) have had like 7 years to sue over this if you could prove it.
(comment deleted)
So the emails had proper DKIM signatures.

Did the support agents have the ability to send arbitrary emails from commerce@coinbase.com? If not, how did the scammers send a properly signed email?

A related issue: often when there’s a security issue, the wrong people are blamed. In reality it is almost always the CEO’s fault for setting budgets or goals that are unrealistic and force everyone else to cut corners. Even other executives are a victim of this and are ultimately powerless.
Offshoring support for financial data should be illegal.

Even if they find the inside individuals, how could anyone ever present a legal case?

In July, 2025 I asked Coinbase to delete my account permanently, for which i had a bit of back-and-forth with customer service representatives, in the end I got an email confirming the deletion, then I tried to log into my account, I was still successful - they lied about it.

Then I reached out to customer service several times - no answer. Then I contacted dedicated channel for privacy related questions with all proofs of mishandling - radio silence.

It’s sad to see these companies mishandle our very personal data and get away with this.

(comment deleted)
That wouldn't surprise me — A few years ago I reported a vulnerability through their bug bounty program that allowed "mandatory" 2FA for crypto withdrawals to be bypassed.

They paid a pittance and permanently buried the report even though its release wouldn't have posed a risk anymore.