Coinbase data breach may lead to $400 million loss, KYC turns into a gold mine for hackers?
Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
"The estimated loss from this incident is about $180 million to $400 million."
A political review cannot ultimately stop social engineering attacks….
In early April, we reported that Coinbase users were frequently targeted by precise scams, with annual losses potentially reaching $300 million. Now, the truth is gradually coming to light.
Yesterday, Coinbase disclosed key details, revealing that hackers bribed overseas customer service personnel to steal personal information of less than 1% of active users. The long-hidden internal security risks have finally been exposed to the light.
Glory is not over, but the crisis has arrived
Less than a week after the positive news of soaring into the S&P 500, the Coinbase security scandal followed, and the stock price immediately turned downward, dropping 7.2% in a single day.
In early April, Mike Dudas, co-founder of The Block, received a notification from Coinbase stating that his account had been accessed improperly by an employee, raising concerns about internal data permission management at that time. (Related reading: Annual loss of $300 million, Coinbase users frequently targeted by precise scams, is there an "insider" leaking information?)
Coinbase's announcement yesterday provided the first full picture of the incident: overseas customer service personnel were bribed by criminals, copying data of less than 1% of monthly active users in an attempt to impersonate the official for scams. The hackers attempted to extort Coinbase for a $20 million hush money. Coinbase refused to pay and instead offered a reward of the same amount to capture and convict the mastermind behind the attack.
At the same time, questions about whether Coinbase has inflated its user numbers have also come to the forefront. The SEC is investigating the key data of "100 million verified users" disclosed in its registration documents, a metric that had quietly been discontinued two years ago. Although its Chief Legal Officer Paul Grewal responded that this is a legacy investigation from the previous administration and that relevant information has been fully disclosed, under internal and external pressures, Coinbase has once again become the focus of public opinion.
Can Coinbase still be trusted?
Coinbase's credibility is facing an unprecedented test. For a publicly listed cryptocurrency exchange that prides itself on "security and compliance," the leakage of sensitive data, the surge in social engineering scam risks, and potential regulatory penalties are undoubtedly a multi-faceted "slap in the face."
From the content disclosed in Coinbase's announcement, the information stolen by hackers almost covers the complete KYC profiles of users: including names, addresses, phone numbers, emails, ID document images, and even some bank account information. Such information falling into the hands of criminals not only provides "precise ammunition" for subsequent social engineering attacks, phishing emails, and fund theft but may also be resold on the dark web, creating long-term risks.
Looking at Coinbase's response measures, Coinbase has promised to fully compensate users who were scammed and transferred funds to attackers due to this incident, and to conduct systematic repairs for security vulnerabilities. They will strengthen customer service permission management and add new customer service centers in the U.S. to enhance regulatory capabilities. At the same time, Coinbase will also increase internal investments in potential threat detection, automated response, and attack simulation testing.
Although these measures are a case of closing the barn door after the horse has bolted, they also convey Coinbase's attitude of "facing the battle head-on." Whether this series of remedial measures can truly curb risks and regain the trust of investors and users remains to be seen over time and actual effectiveness.
KYC controversy reignited
The original intention of KYC is to combat money laundering and terrorist financing, but in practice, it has also become a concentrated repository of user privacy information. This data breach incident at Coinbase has once again brought the controversy surrounding the KYC system to the forefront.
In this storm, several project founders and CEOs have spoken out, reflecting on three questions:
- Is "privacy exchanged for security" worth it?
Nansen CEO Alex Svanevik bluntly stated that the KYC system requires users to submit a large amount of sensitive information, such as ID documents, passports, and utility bills, but in reality, "almost no real criminals have been caught."
Casa Wallet CEO Nick Neuman expressed, "This is why we do not collect KYC." In his view, KYC only provides hackers with more avenues for attack.
- System loopholes exacerbate user risks
Platforms that collect sensitive user information, if lacking corresponding protective capabilities, may actually place users at greater risk. Wintermute CEO Evgeny Gaevoy emphasized that Coinbase did not timely disclose the information leak incident, which is the "dark side of the foolish and absurd KYC/AML system we are in." He believes that this system "facilitates geopolitical and law enforcement efforts at the expense of citizen privacy, while imposing a heavy burden on businesses, making it easier for criminals to engage in extortion, kidnapping, and scams."
- Information honeypot, should we continue to double down?
Arthur, founder of DeFiance Capital, posted on X platform stating that Coinbase really needs to solve their problems; if ultimately the Coinbase platform becomes a honeypot for important user information, there is no reason to continue requiring KYC.
For the cryptocurrency industry, when "compliance" becomes the reason for forcibly collecting sensitive user information, is the platform ready to bear the ensuing data security responsibilities? This discussion surrounding KYC is not new, but this real-world case has made the controversy more acute: the tension between regulatory compliance and user privacy is becoming an unavoidable dilemma for the cryptocurrency industry.
Compliance is the ticket to the mainstream, but it is also the philosopher's stone of data security. It not only tests technical strength but also questions the platform's sense of responsibility and governance level.
This is a road with no turning back, and a journey that is destined to be long and arduous.
The road ahead is long, and the task is heavy and arduous.