On May 11, cryptocurrency exchange giant Coinbase “received an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, along with internal Coinbase documentation, including materials relating to customer-service and account-management systems,” the company told the SEC in an 8-K filing three days later.
The breach reveals that the attackers — reportedly part of the financially motivated group of young hackers known as the Com, or possibly affiliated threat actors Scattered Spider or ShinyHunters — bribed outsourced workers in India to gain credentials that gave them access Coinbase customers’ data. (Coinbase has not attributed the attack to any specific group. “The Com did take credit for it, but we cannot verify that it was in fact them,” a company spokesperson told CSO.)
The degree to which outsourced workers were targeted for bribes is perhaps the most significant aspect of the incident. “I’ve never heard of the kind of pervasive bribery that this incident showed us, with the long-term focus and the amounts involved,” Philip Martin, CSO of Coinbase, tells CSO. “It was, to me, an evolution in attacker behavior.”
Given this prominent example, experts stress that security leaders should step up their educating and red-teaming of in-house and outsourced staff on the bribery threat. Moreover, cybersecurity professionals should be prepared for additional threat actor ploys to entice workers as old-school infiltration techniques, such as phishing attacks, become less effective.
Details of the Coinbase breach
Starting in December 2024, the threat actors targeted Coinbase’s customer support agents working at business process outsourcing (BPO) company TaskUS, in Indore, India. They reportedly offered workers bribes of up to $2,500 per person to copy data in their customer support tools.
The stolen data came from 1%, or around 70,000, of Coinbase’s monthly transacting users, and included a range of personally identifiable information, such as contact information and Social Security numbers, account data, and masked bank account information, but not login credentials, private keys, or access to accounts and crypto wallets.
The hackers demanded Coinbase pay a $20 million ransom to keep them from publishing the data. Coinbase refused to pay and instead put a $20 million bounty on the hackers. Moreover, the exchange promised to reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks and beef up customers’ security measures.
Working with industry partners, Coinbase tagged the attackers’ addresses so the authorities can track them and work to recover assets. It also fired the insiders on the spot and referred them to US and international law enforcement for criminal prosecution.
TaskUs said it stopped taking Coinbase calls at the Indore, India, facility and fired 226 workers. In its SEC filing, Coinbase estimated preliminarily remediation and reimbursement expenses to be $180 million to $400 million.
Coinbase’s widely praised incident response
Coinbase’s transparency, firm stance against the ransom, quick remediation, and willingness to compensate its customers earned wide praise from cybersecurity professionals.
According to Coinbase’s Martin, the hackers resorted to paying help desk workers in India precisely because the company had built such a robust security program. Bribery, according to Martin, was the last option available.
“We spend a bunch of time and a lot of engineering resources making Coinbase as a platform a really hard place for threat actors to steal from our customers,” he tells CSO.
Martin credits his team of around 300 security pros for the successful response to an incredibly stressful situation. “Security is a team sport,” he says. “There were people throughout the organization, both before there was ever an incident and after, thinking about our architecture and segmentation and access control.”
‘We don’t pay terrorists’
Coinbase refused to pay the ransom not only on principle but also out of a belief that the attackers wouldn’t have deleted the data if paid.
“It was certainly a matter of principle that we don’t pay terrorists, but look, at the end of the day, this is our customer’s information,” Martin says. “We have an obligation to protect it. So, it was also a view that there was no reason for us to believe that this threat actor group would do what they say they would do and follow through on their promise not to expose that data.”
Moreover, any payments to ransomware actors encourages them to continue with their malicious behavior, Martin adds. Paying ransomware actors “is not playing the long game; that’s playing the short game,” Martin says. “If you pay terrorists, you’re funding the next attack, whether it’s on you or somebody else.”
He also concedes that sometimes paying ransoms makes sense, depending on the situation. “In the case of a ransomware incident, it may truly be a situation where you pay the ransom or the company dies,” Martin says. “That’s a tough place to be in.”
Bribes grew over time
One key aspect of the Coinbase breach is that the bribery was focused on gaining account information to ransom Coinbase as a corporation, not to drain individual crypto investor wallets, as is typically the case with financially motivated hackers, who most frequently bribe telco personnel to conduct SIM swaps so they can steal funds from crypto and financial accounts.
This wasn’t the first time hackers tried to access Coinbase customers through bribes. “Support agents were using their authorized access to support Coinbase customers with their everyday needs to steal information from Coinbase about these customers, which the bad actors would then use to enhance their ability to reach out and socially engineer their victims,” Martin says. “The bribes started small and became quite large over time.”
While the hackers were continuing along their bribery loop, Coinbase took steps to address the problem. “We were updating our controls, both responding to the adversary as well as getting out ahead of them in some cases,” Martin says.
“This is a key area for us to make sure that we are doing those postmortems every single time we have an issue, taking the learnings from them, and making sure we fold them back into our security program very, very quickly. That continued up until we had a ransom demand.”
“In terms of threat actors bribing employees, that’s quite common,” Zach Edwards, senior threat researcher at Silent Push, tells CSO. “Threat actors whose methods are aligned to the Com have for years been bribing companies, customer support staff to execute attacks. What’s very interesting to see with the Coinbase breach is the new method on the enterprise side to potentially use similar bribery tactics, where we haven’t seen that before.”
However, Greg Linares, principal threat intelligence analyst at Huntress, points to a 2020 incident when a Russian threat actor offered a Tesla employee $1 million to install ransomware on the car company’s networks in Nevada in the hopes of forcing Tesla to pay millions more in ransom. “Large ransomware groups have the means to bribe individuals to attack internally, and insider threat is always going to be an issue working in some industries,” Linares says.
Train and test for bribery risks in every country
When it submitted its SEC filing, Coinbase said that because of its breach, it was in the process of opening a new support hub in the United States and taking other measures to harden its defenses to prevent this type of incident.
But as the Tesla incident illustrates, workers located anywhere can be approached for bribes. “It would be a real mistake to say that it’s a problem only in more unequal jurisdictions,” Coinbase’s Martin says. “I think that limits the imagination of defenders. It can be a problem anywhere. And I think this is more a question of who you hire rather than where you hire, because we saw plenty of people in India, as an example, not engage with these third actors.”
Linares agrees, saying that threat actors are just as likely to target workers in developed nations earning middle-class salaries as they would outsourced workers in developing nations. “A lot of this is funded when the IT workers at a company get paid $60,000 a year for a multi-billion-dollar company, and they are offered eight years’ salary for doing an activity that takes 15 minutes, and they could get away with it. That’s an avenue that the attackers are looking at to exploit.”
Given that corporate bribery poses substantial risks, security leaders should start training programs for personnel on how to deal with any bribe offers they receive and to engage in red-team exercises with personnel who have access to customer data.
“Folks in the airline, insurance, and to a lesser degree, retail sectors should be not only testing their customer support teams to ensure they know how to handle illicit verbal password reset attempts, but also testing teams to make sure they know how to handle potential bribery attempts,” Silent Push’s Edwards says.
“Everyone on targeted customer support teams should know that bribes are taken extremely seriously and there are ongoing and active efforts to ensure support teams not only reject bribery attempts but understand the importance of reporting and escalating those attempts to their managers,” says Edwards.
For Martin, the bottom line is that no matter how tight an enterprise’s security is, “Adversaries get to look at what you’ve built and figure out how to get around it, through it, over it, under it, whatever it is they’re going to do,” he says. “So, there is never going to be perfect security. The famous Mike Tyson quote that I love is: ‘Everyone has a plan, until they get punched in the face.’”
No Responses