Coinbase on Thursday laid out the full scope of a security breach first disclosed to the SEC, confirming that a group of rogue contractors were bribed to pull customer data from internal systems and then demand a $20 million payoff.
Coinbase chief executive Brian Armstrong said the cryptocurrency exchange “won’t fund criminal activity” and is instead setting up a $20 million reward fund for information that leads to the arrest and conviction of the extortionists.
In a filing with the Security and Exchanges Commission, Coinbase said criminals made contact May 11 claiming to possess data on “less than one percent” of monthly transacting users along with internal customer-support documentation.
“They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase, tricking people into handing over their crypto,” Armstrong explained.
“They then tried to extort Coinbase for $20 million to cover this up. We said no,” the Coinbase CEO added.
The attackers had paid rogue contractors in non-U.S. support centers to copy information they were already authorized to view, an abuse the company said its monitoring tools had detected months earlier.
Armstrong said those workers were fired at the time, but only now has Coinbase linked the incidents to a single campaign.
According to the disclosure, the stolen cache includes customer names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, and masked bank-account numbers and related identifiers.
Coinbase confirmed the hijacked data included images of driver’s licenses or passports, balance snapshots, transaction histories, and limited corporate training materials.
The attackers did not obtain login credentials, two-factor-authentication codes, private keys, or any ability to move customer funds, the company said, noting that Coinbase Prime accounts, hot wallets, and cold wallets were untouched.
Coinbase said it will voluntarily reimburse retail customers who were duped into sending cryptocurrency to the scammers, once investigators verify each claim. It is also opening a new U.S. support hub, adding stronger insider-threat monitoring, and placing additional identity checks and scam-awareness prompts on high-risk withdrawals.
In its SEC filing the company pegged the preliminary cost of remediation and reimbursements at between $180 million and $400 million.
Related: Cryptocurrency Stolen From Thousands of Coinbase Accounts
Related: Coinbase Hack Linked to Group Behind Twilio, Cloudflare Attacks
Related: Coinbase Pays $250K for ‘Market-Nuking’ Security Flaw
