What Happened?
Coinbase has suffered a hacking attack that has resulted in the continuous leakage of customer sensitive data since January of this year. The stolen personal information includes names, addresses, identification numbers, and banking details, which could be used for further fraudulent activities.
The U.S. Securities and Exchange Commission (SEC) is investigating whether Coinbase has exaggerated its past reports on user numbers, particularly regarding its claimed number of “verified users.” Although Coinbase explained that this is a continuation of an investigation from the previous administration and has ceased reporting this metric in favor of “monthly transaction users,” it still needs to cooperate with regulatory inquiries.
These events occurred shortly after Coinbase was added to the S&P 500 index. The dual crises have impacted Coinbase’s reputation as a leader in the U.S. cryptocurrency industry, highlighting the severe challenges facing the entire cryptocurrency sector in terms of security and regulation.
Hacking Incident: An “Inside” Social Engineering Attack
Just as Coinbase was added to the S&P 500 index, marking a peak in the mainstream acceptance of digital assets, the leading company in the cryptocurrency space has faced dual challenges: a hacking incident expected to result in losses of up to $400 million, and an investigation by the SEC into its past user data reports. This news caused Coinbase’s stock price to drop by more than 7%, undoubtedly a heavy blow to a company that is influential in the U.S. cryptocurrency industry and dedicated to promoting the mainstream adoption of digital assets.
The unique aspect of this hacking incident lies in its method. Unlike common technical vulnerabilities, the hackers utilized “social engineering” tactics, bribing a customer service representative in Coinbase’s India office to continuously obtain sensitive customer information since January of this year.
“Social engineering” is a method of attack that exploits human psychological weaknesses rather than technical vulnerabilities. In simple terms, it is an art of deception and manipulation, where hackers or attackers use disguises, inducements, intimidation, or pressure to coerce victims into voluntarily disclosing sensitive information (such as passwords or bank account details) or performing actions that are detrimental to their own security (such as clicking on malicious links, downloading viruses, or transferring funds).
Although Coinbase’s Chief Security Officer Philip Martin stated that the company immediately terminated the related agent’s access and fired them upon discovering the anomalies, emphasizing that the hackers did not have sustained access to the data, reports from foreign media indicate that the hackers were still able to access this data up until Wednesday.
The range of data acquired by the hackers is quite extensive, including customers’ names, dates of birth, addresses, nationalities, government-issued ID numbers, partial banking information, account opening dates, and account balances. This highly sensitive personal information could potentially be used by criminals to impersonate Coinbase or the victims themselves, thereby attempting to gain control over other financial accounts. The hackers even audaciously demanded $20 million from Coinbase in exchange for deleting the stolen data.
In response to the ransom demand, Coinbase opted not to pay and instead offered a $20 million reward for information leading to the arrest and conviction of the attackers. The company also emphasized that the number of affected users is less than 1% of its monthly transaction users and promised to fully compensate users who suffer losses from this incident.
However, for high-net-worth traders, this incident presents not only potential financial losses but also a profound concern for personal safety, especially in light of recent violent incidents in the cryptocurrency sphere, such as kidnappings.
SEC Investigation: A Battle for Transparency in User Data Reporting
In addition to the hacking incident, Coinbase has also confirmed that the SEC is investigating whether it exaggerated its past user data reports.
According to a report from CNBC, the investigation has been underway since the Biden administration, primarily focusing on the number of “verified users” claimed by Coinbase in its securities filing documents and marketing materials, a number that once exceeded 100 million.
In this regard, Coinbase’s Chief Legal Officer Paul Grewal explained that this investigation is a continuation of a “deferred inquiry into an indicator that the previous administration had stopped reporting two and a half years ago.”
He emphasized that the company had publicly explained that “verified users” includes any user verified through email or phone number, which may have inflated the actual number of independent customers. Grewal stated that the company has since switched to reporting “monthly transaction users” (MTUs), a more relevant metric, and continues to report this today.
Nevertheless, Coinbase remains committed to cooperating with the SEC in hopes of resolving this matter.
References: cnbc, bloomberg