Coinbase, the largest cryptocurrency exchange based in the US, said criminals had improperly obtained personal data on the exchange’s customers for use in crypto-stealing scams and were demanding a $20 million (€17.6 million) payment not to publicly release the information.
Coinbase CEO Brian Armstrong said in a social media post Thursday that criminals had bribed some of the company’s customer service agents who live outside the US to hand over personal data on customers – including names, dates of birth, and partial national identification numbers.
The stolen data “allows them to conduct social engineering attacks where they can call our customers impersonating Coinbase customer support and try to trick them into sending their funds to the attackers,” Armstrong said.
Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Many large companies have suffered hacks and data breaches as a result of such scams in recent years.
Coinbase did not specify how many customers had their data stolen or fell prey to social engineering scams. But the company did pledge to reimburse any who did.
In a filing with the US Securities and Exchange Commission (SEC), Coinbase estimated that it would have to spend between $180 million to $400 million (€158 million to €352 million) related to remediation and customer reimbursements tied to the bribes.
The SEC filing said that the company had detected some of its customer service agents “accessing data without business need”.
Those employees had been fired, the company said, and it has since stepped up its fraud prevention efforts.
Coinbase said it received an email from the attackers on Sunday demanding a ransom of $20 million (€17.6 million) worth of bitcoin in order not to publicly release the customer data they had stolen.
Armstrong said the company was refusing to pay the ransom and would instead offer a $20 million (€17.6 million) bounty for anyone who provided information that led to the attackers’ arrest.
“For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” Armstrong said.
“And know you have my answer”.
