Coinbase Offers $20 Million Bounty To Catch Data Thieves After Extortion Attempt

Cryptocurrency exchange Coinbase said Thursday it is offering a $20 million reward for information leading to the arrest and conviction of criminals who attempted to extort the company for the same amount after stealing customer data.

The criminals bribed customer support agents in overseas markets to access records containing addresses, phone numbers, government IDs, and partial bank and Social Security details of more than 80,000 customers. "It sucks but when we see a problem like this we want to own it and make it right," Coinbase Chief Security Officer Philip Martin told Fortune.

The company will reimburse customers who fell victim to subsequent social engineering scams. No login credentials or wallet access were compromised in the breach. The extortionists had threatened to publish the stolen information unless paid $20 million in Bitcoin.

real money?

[pak9rabid]

Is this $20 million in real or fun money?

Coinbase should shut down

[xack]

And stop this crypto scam going. Every cryptography researcher has got cryptocurrency in their crosshairs, its only a matter of time before the whole thing blows up.

This is basically a mafia war

[hdyoung]

and mafia-on-mafia fights are usually pretty ugly.

At best Coinbase is basically an online casino. They're major business is to present crypto as a "legit investment" to normal folks who want to gamble. They've probably got healthy side businesses supporting criminality and wash trading. I registered for Coinbase 5 years ago, that was my only interaction with them, and never stopped flooding me with "BUY THE CRYPTO DIP NOW NOW NOW" emails.

Hard to send cops to

[Tablizer]

...N. Korea.

Let's translate part of this

[Arrogant-Bastard]

Their version: "The criminals bribed customer support agents in overseas markets to access records containing addresses, phone numbers, government IDs, and partial bank and Social Security details of more than 80,000 customers."

Correct version: We, Coinbase, were too cheap to vet and hire customer support agents locally, so we outsourced support to sketchy people at sketchy operations elsewhere, and then we strongly encouraged them to accept bribes by severely underpaying them while simultaneously giving them unlimited, unaudited access to as much sensitive customer information as possible. Now we're grandstanding in an attempt to distract attention from our own incompetence."

Re:

[bill_mcgonigle]

But did they save $20M by doing so?

They were also using that Signal clone that sent all comms through cleartext SMTP to Outlook (per sggrc) and probably foreign intelligence so the nature of the company is quite an uncertainty.

Re:

[rskbrkr]

Correct version: We, Coinbase, were too cheap to vet and hire customer support agents locally, so we outsourced support to sketchy people at sketchy operations elsewhere, and then we strongly encouraged them to accept bribes by severely underpaying them while simultaneously giving them unlimited, unaudited access to as much sensitive customer information as possible. Now we're grandstanding in an attempt to distract attention from our own incompetence."

This is predicated on the assumption that oversea customer support is automatically more sketchy than domestic customer support. I believe the Philippines, which is a popular option fohttps://it.slashdot.org/story/25/05/15/1415242/coinbase-offers-20-million-bounty-to-catch-data-thieves-after-extortion-attempt#r customer support, generally have a lower rate of crime than the US.

Make the bounty have some teeth...

[prisoner-of-enigma]

If more companies would not only put a monetary bounty on these crooks but also specify "dead or alive," perhaps it would start to put a dent in their activities. They're already operating from countries that either look the other way or actively assist them in their activities. Putting a death mark on them ups the stakes considerably and allows the use of...ahem...alternate actors...ahem...that can operate beyond the law to get actual results.

Re:Make the bounty have some teeth...

[Gravis Zero]

If more companies would not only put a monetary bounty on these crooks but also specify "dead or alive," perhaps it would start to put a dent in their activities.

No, because that's how you end up with a lot of dead people, including people that weren't related to the case. A simple way to stop this stuff from happening is regulations that are akin to that which is required for banks and then make paying ransomware illegal.

It's worse than the article says

[smooth wombat]

Coinbase is saying it could cost up to $400 million for remediation AND reimbursement to customers [marketwatch.com]. The $20 million is on top of this, if it is ever paid out.

KYC/AML Caused this

[turbotalon]

Well-intentioned KYC/AMC laws meant Coinbase had to have this information on file. This kind of extortion and theft would not be possible if Coinbase didn't have the info in the first place. Coinbase bears responsibility for having poor systems in place, but government regulators are ultimately the responsible as well.

Coinbase knows they won't have to pay.

[Gravis Zero]

Any attack of significance is likely going to be by a nation-state actor, so arrest is a non-starter. Even if it is cybercrime gang then they are almost certainly going to be in Russia or Romania. Again, not getting arrested. Even if you somehow luck out and they get arrested, you need to wait for them to be not merely prosecuted but also convicted which means they have to also exhaust all their appeals. So if you somehow manage to clear all that then it'll likely be a payout in 7 seven years. Chances of ge

That's how ransoms should be paid

[reanjr]

This is a good model for other companies on how to handle ransom requests.