What Happened?
Coinbase has been targeted by hackers, leading to the continuous leakage of sensitive customer data since January of this year. The stolen personal information includes names, addresses, identification numbers, and banking details, which may be used for further fraudulent activities. The U.S. Securities and Exchange Commission (SEC) is investigating whether Coinbase has exaggerated its user count reports in the past, particularly regarding its claimed number of “verified users.” Although Coinbase explained that this was an unfinished investigation from the previous administration and has ceased reporting that metric in favor of “monthly transaction users,” it still needs to cooperate with regulatory authorities in their investigation. These incidents occurred just as Coinbase was included in the S&P 500 index, and the two crises have jointly impacted Coinbase’s reputation as a leader in the U.S. cryptocurrency industry, highlighting the severe challenges faced by the entire cryptocurrency sector in terms of security and regulation.
Hacker Invasion: An Internal “Social Engineering” Assault
Just as Coinbase was included in the S&P 500 index, marking the peak of digital asset mainstreaming, the leading cryptocurrency firm Coinbase recently faced dual challenges: a hacking incident with estimated losses of up to $400 million and an SEC investigation into its past user data reporting. These revelations caused Coinbase’s stock price to drop over 7%, undoubtedly a heavy blow for a company that is highly influential in the U.S. cryptocurrency industry and committed to promoting the mainstream adoption of digital assets.
The uniqueness of this hacking incident lies in its methodology. Unlike common technical vulnerabilities, the hackers utilized “social engineering” techniques, bribing Coinbase’s customer service representatives in India to continuously obtain sensitive customer information since January. “Social engineering” is an attack method that exploits human psychological weaknesses rather than technical flaws. In simple terms, it is an art of deception and manipulation, where hackers or attackers use non-technical means such as masquerading, enticing, intimidating, or applying pressure to manipulate victims into voluntarily disclosing sensitive information (e.g., passwords, bank account details) or performing actions detrimental to their security (e.g., clicking malicious links, downloading viruses, transferring funds).
Although Coinbase’s Chief Information Security Officer Philip Martin stated that the company immediately terminated the related agents’ access and fired them upon discovering the anomaly, emphasizing that the hackers did not have continuous access to data, reports from external media indicate that the hackers were still able to access this information as of Wednesday.
The data obtained by the hackers is quite extensive, including customers’ names, birth dates, addresses, nationalities, government-issued identification numbers, some banking information, as well as account opening dates and balances. This highly sensitive personal data could potentially be used by criminals to impersonate Coinbase or the victims themselves in attempts to gain control of other financial accounts. The hackers even audaciously demanded a ransom of $20 million from Coinbase, threatening to delete the stolen data.
In response to the ransom, Coinbase chose not to pay but instead offered a $20 million reward for information leading to the arrest and conviction of the attackers. The company also emphasized that the number of affected users is less than 1% of its monthly transaction users and promised to fully compensate those who suffered losses due to this incident. However, for high-net-worth traders, this incident represents not only potential financial losses but also deep concerns about personal safety due to recent violent incidents, such as kidnappings, occurring within the cryptocurrency community.
SEC Investigation: The Battle for Transparency in User Data Reporting
In addition to the hacking incident, Coinbase has also confirmed that the SEC is investigating whether it has previously exaggerated its user data reporting. According to CNBC, this investigation actually began during the Biden administration, focusing primarily on the number of “verified users” claimed by Coinbase in its securities filings and marketing materials, a figure that once exceeded 100 million.
In this regard, Coinbase’s Chief Legal Officer Paul Grewal explained that this investigation is a “delayed investigation of a metric that the previous administration had ceased reporting two and a half years ago.” He emphasized that the company had publicly explained that “verified users” include anyone who has been verified via email or phone number, which may have inflated the actual number of independent customers. Grewal stated that the company has since shifted to reporting “monthly transaction users” (MTUs), a more relevant metric, and continues to report this to this day.
Nevertheless, Coinbase remains committed to cooperating with the SEC to resolve this matter.
References: cnbc, bloomberg