Coinbase says some of its overseas support staff were paid off to steal information on behalf of cybercriminals, and the company is now being extorted for $20 million.

According to a filing with the Securities and Exchange Commission (SEC) on Thursday, “an unknown threat actor” contacted the crypto exchange giant on May 11, informing it of the stolen data and “demanded money in exchange for not publicly disclosing the information.”

Coinbase said it verified the email was genuine and related to information that was indeed stolen, but insists it will not be paying the criminals any dosh. 

In a blog post, Coinbase confirmed the ransom demand was $20 million for data belonging to less than 1 percent of its monthly transacting users. 

Flipping the script, Coinbase has vowed to instead pay $20 million for information leading to the arrest and conviction of the attackers.

The company said the data does not include passwords or private keys, but depending on the use, the following details of its customers may be compromised:

• Names
• Addresses
• Phone numbers
• Email addresses
• Last four digits of Social Security Numbers
• Masked bank account numbers and some bank account identifiers
• Images tied to government IDs such as passports and driving licenses
• Coinbase account data including balance snapshaots and transaction histories
• “Limited corporate data,” including documents, training material, and communications available to support agents

Coinbase said that at no point during the compromise could the attackers have accessed customers’ funds, and confirmed the sources of the data were insiders bribed to steal information on behalf of the extortionists.

However, the post confirms that the attackers already used the stolen data to lend credibility to social engineering attacks, duping customers into sending funds to them.

“The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities,” it said in the filing.

“These instances of such personnel accessing data without business need were independently detected by the company’s security monitoring in the previous months. 

“Upon discovery, the company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information.”

Conibase went on to say that it is investing in anti-fraud technologies to mitigate the possibility that any of the stolen data could be used to defraud customers any further, and it pledged to reimburse those who had already been scammed.

It is also in the process of opening a new support hub based in the US and is “taking other measures to harden its defenses” against this type of attack.

According to active job boards, Coinbase support staff are dotted across the world, from the UK, Ireland, and the US to further afield in India, the Philippines, and Japan.

The SEC filing states that despite no material impact on the company’s operations thus far, it expects the total cost of cleaning up the cyber snafu to be in the region of $180 million to $400 million.

The huge outlay will be spent on remediation costs and voluntary customer reimbursements, it says, although the sum could meaningfully increase or decrease based on further review of losses, indemnity claims, and recoveries.

“The company plans to aggressively pursue all remedies. As the company’s investigation is ongoing, the full impact of these events are not yet known.”

The announcement, made at US market open, has seen Coinbase’s share price drop more than 7 percent at the time of writing.

Coinbase CEO Brian Armstrong Xeeted a response, echoing many of the points made in the filing and blog post. 

In a near three-minute video, citing the $20 million bounty, he issued a threat to the attackers: “For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice.”

Altogether: the extensive detail in the SEC filing, the promise to reimburse socially engineered customers, the CEO’s selfie video – experts have said this “is the most unique breach disclosure” they have ever seen.

On Coinbase’s response, Charles Carmakal, SVP at Mandiant, told The Register: “It’s very notable. It’s not often that you see that level of transparency from a company, and you don’t see companies basically sticking the middle finger up at a threat actor and ignoring their extortion demand, but in turn, offering the equivalent bounty to catch individuals behind the attack.

“It is the most unique breach disclosure I’ve ever seen. I’ve had security leaders here and there who have wanted to do something like this, but it’s very hard to get buy-in from other executives or the CEO of the board to do that. What Coinbase did was unusual, but it’s very commendable. So, it will be a case study for many years in school, and we’ll see how it all plays out and works for them.” ®