{"id":4533,"date":"2025-08-26T07:00:00","date_gmt":"2025-08-26T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4533"},"modified":"2025-08-26T07:00:00","modified_gmt":"2025-08-26T07:00:00","slug":"behind-the-coinbase-breach-bribery-emerges-as-enterprise-threat","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4533","title":{"rendered":"Behind the Coinbase breach: Bribery emerges as enterprise threat"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

On May 11, cryptocurrency exchange giant Coinbase \u201creceived an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, along with internal Coinbase documentation, including materials relating to customer-service and account-management systems,\u201d the company told the SEC in an 8-K filing<\/a> three days later.<\/p>\n

The breach reveals that the attackers \u2014 reportedly part of the financially motivated group of young hackers known as the Com<\/a>, or possibly affiliated threat actors Scattered Spider or ShinyHunters<\/a> \u2014 bribed outsourced workers in India to gain credentials that gave them access Coinbase customers\u2019 data. (Coinbase has not attributed the attack to any specific group. \u201cThe Com did take credit for it, but we cannot verify that it was in fact them,\u201d a company spokesperson told CSO.)<\/p>\n

The degree to which outsourced workers were targeted for bribes is perhaps the most significant aspect of the incident. \u201cI\u2019ve never heard of the kind of pervasive bribery that this incident showed us, with the long-term focus and the amounts involved,\u201d Philip Martin<\/a>, CSO of Coinbase<\/a>, tells CSO. \u201cIt was, to me, an evolution in attacker behavior.\u201d<\/p>\n

Given this prominent example, experts stress that security leaders should step up their educating and red-teaming of in-house and outsourced staff on the bribery threat. Moreover, cybersecurity professionals should be prepared for additional threat actor ploys to entice workers as old-school infiltration techniques, such as phishing attacks, become less effective.<\/p>\n

Details of the Coinbase breach<\/h2>\n

Starting in December 2024, the threat actors targeted<\/a> Coinbase\u2019s customer support agents working<\/a> at business process outsourcing (BPO) company TaskUS, in Indore, India. They reportedly offered workers bribes of up to $2,500 per person to copy data in their customer support tools.<\/p>\n

The stolen data came from 1%, or around 70,000<\/a>, of Coinbase\u2019s monthly transacting users, and included a range of personally identifiable information, such as contact information and Social Security numbers, account data, and masked bank account information, but not login credentials, private keys, or access to accounts and crypto wallets.<\/p>\n

The hackers demanded Coinbase pay a $20 million ransom to keep them from publishing the data. Coinbase refused to pay<\/a> and instead put a $20 million bounty on the hackers. Moreover, the exchange promised to reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks and beef up customers\u2019 security measures.<\/p>\n

Working with industry partners, Coinbase tagged the attackers\u2019 addresses so the authorities can track them and work to recover assets. It also fired the insiders on the spot and referred them to US and international law enforcement for criminal prosecution.<\/p>\n

TaskUs said it stopped taking Coinbase calls<\/a> at the Indore, India, facility and fired 226 workers. In its SEC filing, Coinbase estimated preliminarily remediation and reimbursement expenses to be $180 million to $400 million.<\/p>\n

Coinbase\u2019s widely praised incident response<\/h2>\n

Coinbase\u2019s transparency, firm stance against the ransom, quick remediation, and willingness to compensate its customers earned wide praise<\/a> from cybersecurity professionals.<\/p>\n

According to Coinbase\u2019s Martin, the hackers resorted to paying help desk workers in India precisely because the company had built such a robust security program. Bribery, according to Martin, was the last option available.<\/p>\n

\u201cWe spend a bunch of time and a lot of engineering resources making Coinbase as a platform a really hard place for threat actors to steal from our customers,\u201d he tells CSO.<\/p>\n

Martin credits his team of around 300 security pros for the successful response to an incredibly stressful situation. \u201cSecurity is a team sport,\u201d he says. \u201cThere were people throughout the organization, both before there was ever an incident and after, thinking about our architecture and segmentation and access control.\u201d<\/p>\n

\u2018We don\u2019t pay terrorists\u2019<\/h2>\n

Coinbase refused to pay the ransom not only on principle but also out of a belief that the attackers wouldn\u2019t have deleted the data if paid.<\/p>\n

\u201cIt was certainly a matter of principle that we don\u2019t pay terrorists, but look, at the end of the day, this is our customer\u2019s information,\u201d Martin says. \u201cWe have an obligation to protect it. So, it was also a view that there was no reason for us to believe that this threat actor group would do what they say they would do and follow through on their promise not to expose that data.\u201d<\/p>\n

Moreover, any payments to ransomware actors encourages them to continue with their malicious behavior, Martin adds. Paying ransomware actors<\/a> \u201cis not playing the long game; that\u2019s playing the short game,\u201d Martin says. \u201cIf you pay terrorists, you\u2019re funding the next attack, whether it\u2019s on you or somebody else.\u201d<\/p>\n

He also concedes that sometimes paying ransoms makes sense, depending on the situation. \u201cIn the case of a ransomware incident, it may truly be a situation where you pay the ransom or the company dies,\u201d Martin says. \u201cThat\u2019s a tough place to be in.\u201d<\/p>\n

Bribes grew over time<\/h2>\n

One key aspect of the Coinbase breach is that the bribery was focused on gaining account information to ransom Coinbase as a corporation, not to drain individual crypto investor wallets, as is typically the case with financially motivated hackers, who most frequently bribe telco personnel to conduct SIM swaps so they can steal funds from crypto and financial accounts.<\/p>\n

This wasn\u2019t the first time hackers tried to access Coinbase customers through bribes. \u201cSupport agents were using their authorized access to support Coinbase customers with their everyday needs to steal information from Coinbase about these customers, which the bad actors would then use to enhance their ability to reach out and socially engineer their victims,\u201d Martin says. \u201cThe bribes started small and became quite large over time.\u201d<\/p>\n

While the hackers were continuing along their bribery loop, Coinbase took steps to address the problem. \u201cWe were updating our controls, both responding to the adversary as well as getting out ahead of them in some cases,\u201d Martin says.<\/p>\n

\u201cThis is a key area for us to make sure that we are doing those postmortems every single time we have an issue, taking the learnings from them, and making sure we fold them back into our security program very, very quickly. That continued up until we had a ransom demand.\u201d<\/p>\n

\u201cIn terms of threat actors bribing employees, that\u2019s quite common,\u201d Zach Edwards<\/a>, senior threat researcher at Silent Push, tells CSO. \u201cThreat actors whose methods are aligned to the Com have for years been bribing companies, customer support staff to execute attacks. What\u2019s very interesting to see with the Coinbase breach is the new method on the enterprise side to potentially use similar bribery tactics, where we haven\u2019t seen that before.\u201d<\/p>\n

However, Greg Linares, principal threat intelligence analyst at Huntress, points to a 2020 incident<\/a> when a Russian threat actor offered a Tesla employee $1 million to install ransomware on the car company\u2019s networks in Nevada in the hopes of forcing Tesla to pay millions more in ransom. \u201cLarge ransomware groups have the means to bribe individuals to attack internally, and insider threat is always going to be an issue working in some industries,\u201d Linares says.<\/p>\n

Train and test for bribery risks in every country<\/h2>\n

When it submitted its SEC filing, Coinbase said that because of its breach, it was in the process of opening a new support hub in the United States and taking other measures to harden its defenses to prevent this type of incident.<\/p>\n

But as the Tesla incident illustrates, workers located anywhere can be approached for bribes. \u201cIt would be a real mistake to say that it\u2019s a problem only in more unequal jurisdictions,\u201d Coinbase\u2019s Martin says. \u201cI think that limits the imagination of defenders. It can be a problem anywhere. And I think this is more a question of who you hire rather than where you hire, because we saw plenty of people in India, as an example, not engage with these third actors.\u201d<\/p>\n

Linares agrees, saying that threat actors are just as likely to target workers in developed nations earning middle-class salaries as they would outsourced workers in developing nations. \u201cA lot of this is funded when the IT workers at a company get paid $60,000 a year for a multi-billion-dollar company, and they are offered eight years\u2019 salary for doing an activity that takes 15 minutes, and they could get away with it. That\u2019s an avenue that the attackers are looking at to exploit.\u201d<\/p>\n

Given that corporate bribery poses substantial risks, security leaders should start training programs for personnel on how to deal with any bribe offers they receive and to engage in red-team exercises with personnel who have access to customer data.<\/p>\n

\u201cFolks in the airline, insurance, and to a lesser degree, retail sectors should be not only testing their customer support teams to ensure they know how to handle illicit verbal password reset attempts, but also testing teams to make sure they know how to handle potential bribery attempts,\u201d Silent Push\u2019s Edwards says.<\/p>\n

\u201cEveryone on targeted customer support teams should know that bribes are taken extremely seriously and there are ongoing and active efforts to ensure support teams not only reject bribery attempts but understand the importance of reporting and escalating those attempts to their managers,\u201d says Edwards.<\/p>\n

For Martin, the bottom line is that no matter how tight an enterprise\u2019s security is, \u201cAdversaries get to look at what you\u2019ve built and figure out how to get around it, through it, over it, under it, whatever it is they\u2019re going to do,\u201d he says. \u201cSo, there is never going to be perfect security. The famous Mike Tyson quote that I love is: \u2018Everyone has a plan, until they get punched in the face.\u2019\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

On May 11, cryptocurrency exchange giant Coinbase \u201creceived an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, along with internal Coinbase documentation, including materials relating to customer-service and account-management systems,\u201d the company told the SEC in an 8-K filing three days later. The breach reveals that […]<\/p>\n","protected":false},"author":0,"featured_media":4534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4533","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4533"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4533"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4533\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4534"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}