News

(Bloomberg) -- On the long list of crypto companies that have been hacked, there are plenty of examples of financial losses that are much more painful than what Coinbase Global Inc. appears to be facing from the attack it disclosed on Thursday.

Yet this one stands out for significance far beyond the $400 million the company expects it will cost: This time, the victim was arguably the most influential US company in the industry.

Coinbase is the firm that led the digital-asset industry’s march into the mainstream financial system as the first publicly traded crypto exchange. It’s the company that safeguards the lion’s share of the $122 billion worth of tokens owned by spot-Bitcoin exchange-traded funds. And it’s the firm that did much of the heavy lifting when it came to the industry’s campaign spending spree to send a platoon of pro-crypto lawmakers to Washington this year.

Indeed, the revelation of the hack comes just three days after the company’s crowning achievement in mainstreaming the digital asset class with its addition to the S&P 500 Index, a development that will land its shares into trillions of dollars worth of retirement plans and other investment products that track the benchmark gauge. The hack, plus subsequent news of a lingering Securities and Exchange Commission investigation into how the company reported its user numbers, sent the shares down more than 7% on Thursday.

While the company says the Coinbase Prime service that custodies crypto for ETF issuers and services other institutional investors was not affected, the hackers did have near-constant access to some of Coinbase Global Inc.’s most valuable customer data since January, according to a person familiar with the incident who asked not to be named discussing company matters.

The hackers’ scheme was brazen, if not especially impressive from a technology standpoint: They bribed customer representatives to steal client data and then demanded a $20 million ransom to delete it. Coinbase began noticing unusual activity from some of these representatives as far back as January, the company confirmed in an interview with Bloomberg News.

The bribed reps got access to names, dates of birth, addresses, nationalities, government-issued ID numbers, some banking information as well as details about when customer accounts were created and their balances, the person familiar with the situation said. This information could be used to attempt to impersonate Coinbase and convince customers to let the hackers into their account. It could also be used to impersonate the victims with other service providers to attempt to convince them to let hackers into other financial accounts they maintain.

For some traders with big balances on the exchange, the incident was alarming for reasons that go beyond the potential financial losses, considering the kidnapping and mutilation of a crypto startup co-founder earlier this year and reports of other similar incidents.

“It’s a major breach, the amount of personal information shared is staggering,” said Mike Dudas, managing partner of web3 firm 6MV, who said he was targeted by the Coinbase hackers. “It will make people have to consider their personal physical security, especially with the things happening in France and elsewhere.”

The hackers had bribed enough customer service representatives to achieve effectively on-demand access to Coinbase customer information in the past five months, the person said. Coinbase Chief Security Officer Philip Martin disputed the assertion of near constant access, saying in an interview with Bloomberg News that the company pulled the agents’ access as soon as it was discovered that they were improperly sharing information. Therefore the hackers “did not have persistent access over the course of the entire period,” he said.

“What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing, and bribing them in order to obtain customer data,” Martin said.

Coinbase detected the agents, quarantined them and fired them, as soon as the company noticed the activity.

“So there were a number of specific bribery incidents that this attack, that this threat actor is claiming credit for throughout the course of that time, but they did not have persistent access over the course of the entire period,” he said.

The hackers had access to this data as recently as Wednesday, the person familiar with the incident said. Martin said “we have no reason to believe that is true at all” but could not “prove a negative.”

Bloomberg News is aware of one notable, high net worth individual’s data being accessed, whom Bloomberg is not disclosing for privacy reasons.

David Jeong, a crypto founder in New York, said he received a text from unidentified number on April 3, in which he was asked to verify the login for his personal account. He then received another text from a different number on May 4. Jeong said he hasn’t used a one-time password from Coinbase for two years.

Coinbase said in a regulatory filing that it received an anonymous email from the hackers making their ransom demand on May 11. It added that in the months leading up to that email it had detected instances of customer support agents outside of the US collecting data from internal systems. Last weekend, some premium customers received emails suggesting that their information had been accessed.

“At Coinbase, we actively monitor our systems to ensure customer information is only accessed when necessary and in accordance with our strict security standards. We wanted to let you know that we detected activity suggesting that information related to your account may have been accessed in a way that did not align with our internal policies,” the company said in a customer email reviewed by Bloomberg. “The information did not involve your password, seed phrase, or any other information that would have allowed someone to directly access your account or your funds.”

In the email, Coinbase recommended that customers ensure they’re “regularly monitoring your account, using a strong and unique password.”

Less than 1% of the exchange’s monthly transacting users were affected, Coinbase said Thursday. In addition to ramping up security controls for those affected, Coinbase said it would reimburse in full anyone who lost money. Instead of paying the ransom, the exchange is offering a $20 million bounty to anyone with information leading to the attackers’ arrest and conviction.

Hacks have long plagued the crypto industry, thanks to its heavy reliance on user anonymity and complex digital software. Around $2.2 billion was lost to such incidents in 2024, according to researcher Chainalysis. Operating under the threat of attack has been particularly painful for crypto exchanges, which are often major targets and face high ongoing costs to maintain tight security.

This type of so-called social engineering attack — in which criminals use people to gain unauthorized access to data, rather than exploiting flaws in computer code — is a type of threat has become increasingly popular in crypto, resulting in recent major incidents like the $1.5 billion hack of crypto exchange Bybit in February. With a price tag of $400 million to cover the cost of repaying users, among other charges, the incident ranks as the eighth biggest hack crypto hack ever, according to Elliptic data.

“Unfortunately as our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks and harnessing new AI tools and techniques to bypass fraud prevention measures,” said Nick Jones, founder and CEO at crypto technology platform Zumo. “This is understandably a huge blow for a company that has had a pivotal few weeks.”

Meanwhile, the New York Times reported that the Securities and Exchange Commission has been investigating whether Coinbase misstated its user numbers in past disclosures as part of an inquiry that began during the Biden administration.

“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Paul Grewal, Coinbase’s chief legal officer, said in a statement. “While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”

--With assistance from Muyao Shen and Olga Kharif.