Coinbase Global (COIN) often touts how it is "building the financial system of the future," but last week the cryptocurrency exchange made a disclosure that highlighted how vulnerable it was to a very old-fashioned form of crime: bribery.
Cyberattackers accessed names, addresses, government-ID imagery, transaction history, and account balances of customers comprising less than 1% of its monthly transacting users, Coinbase said, and demanded a ransom payment of $20 million.
How did criminals get this information? By bribing retail customer service agents in India, according to the company.
The data breach disclosure interrupted what should have been a crowning moment for Coinbase as it joined the S&P 500 (^GSPC) following a landmark acquisition of crypto options exchange Deribit for $2.9 billion.
Bloomberg reported Monday that the Justice Department is now investigating the hack. Paul Grewal, the company's chief legal officer, told Bloomberg that Coinbase brought the matter to the attention of the DOJ and that the company itself is not being investigated.
Coinbase's stock fell 7% on the day of the announcement. It has since recovered and is down roughly 1% from its closing price the day before it revealed the breach.
Devin Ryan, head of financial technology research at Citizens Financial Group (CFG), doesn't view the breach "as some fundamental inherent issue with the company, but more a lapse that they have to now take the consequences of and hopefully learn from."
"This is an issue that emanated from employees and also, I think, from a process," Ryan added.
As far back as Dec. 26, 2024, the criminals began pilfering the names and addresses of Coinbase customers, according to a Wednesday filing with the Maine Attorney General. Some 69,461 affected people are now at higher risk of identity theft or fraud, according to the filing.
The company immediately fired workers who were inappropriately viewing customer data, enhanced fraud protections, and notified customers as far back as December, according to a SEC filing.
Coinbase CEO Brian Armstrong last week posted a video on X addressing the breach, explaining that instead of paying the ransom, Coinbase is establishing a $20 million reward or bounty program for information leading to the arrest and conviction of the attackers.
He also said the company has alerted affected customers and is planning to reimburse those affected and relocate some of its support operations.
Coinbase CEO Brian Armstrong speaks at a Stand with Crypto rally in Los Angeles in 2024. (Jason Armond/Los Angeles Times via Getty Images) ·Jason Armond via Getty Images
"No, we're not going to pay your ransom," Armstrong said, addressing the attackers during the video.
A preliminary estimate of the incident's cost is "approximately $180 million to $400 million," Coinbase said in a SEC filing.
Inside the crypto world, there is concern that large account holders could become targets of physical attacks.
Reports of attacks generally targeting crypto figures have been surging so far this year. One public database created by Jameson Lopp, co-founder and chief security officer of bitcoin security provider Casa, shows 23 physical attacks against crypto-holding people and companies worldwide so far this year.
Though not every physical attack is reported, that figure is nearly three times the number reported in the same period last year.
It's also by far the highest number on record since the database began tracking such incidents in December 2014, when bitcoin was much less popular and valuable.
Three of this year's attacks have been attempted abductions of crypto executives or their relatives in France, including two where victims lost a finger as their abductors sought both ransom and access to their crypto wallets.
Bloomberg has reported that one prominent Coinbase customer has already been fooled into handing over money, citing a Los Angeles artist who told the news outlet he lost $2 million.
Coinbase's two biggest rivals — Binance and US-based Kraken — have faced similar "social engineering" attacks, but both fended off data breaches from similar attacks, according to Bloomberg.
"Although Coinbase may be world-leading when it comes to giving people access to crypto, I think there are many aspects of their business practice that are likely based on the practices of more traditional organizations,” Evin McMullen, co-founder of AI-powered digital identity project Privado ID, told Yahoo Finance.
Armstrong provided more detail about his thoughts on the incident this week as he responded on X to a post from TechCrunch founder and self-proclaimed Coinbase investor Michael Arrington, who claimed the data breach "will lead to people dying."
"The data hasn't been dumped on the dark web yet. We will see if that holds," Armstrong said as part of a lengthy response to Arrington on Tuesday.
The CEO also expressed doubt that using overseas customer service workers was to blame.
"The location of support agents I don't think is a perfect solve to this, since the amounts they were offering were powerful even for people in parts of the U.S. But it's possible it could help on the margin," he added.
A Coinbase spokesperson said that, to her knowledge, Armstrong's comments still hold.
StockStory aims to help individual investors beat the market.
David Hollerith is a senior reporter for Yahoo Finance covering banking, crypto, and other areas in finance.
