Private Data of Coinbase Customers Leaked

KYC Has Its Price. Criminals Bribed Support Staff at the US Exchange Coinbase to Acquire Private Customer Data. Coinbase Downplays the Incident, Claiming Less Than One Percent of Customers Were Affected. But the Damage Is Enormous.

Good marketing often, unfortunately, means elegantly selling an event as the exact opposite of what actually happened. In this spirit, the large US exchange Coinbase headlines „We Protect Our Customers—and Stand Up to Extortionists“—even though the reality was rather the opposite.

Like all crypto companies, Coinbase is compelled to extract ever-increasing amounts of private data and documents from its customers. Regulation requires this in order to prevent money laundering, which certainly has its reasons—but it also comes at a cost. This cost has now become evident at Coinbase, and the exchange has promptly passed it on to its customers.

To sufficiently verify customers, Coinbase uses ID service providers to handle these processes, for example by identifying customers through video sessions. Anyone who has an account at a crypto exchange—or even just a reasonably recent SIM card—is likely familiar with this procedure. Typically, you video chat with someone who knows your language well, without knowing where this person actually lives.

In the case of Coinbase, criminals have now contacted support staff „abroad.“ The employees were bribed to copy data stored in the customer support system. This affected less than one percent of Coinbase’s customers—which, given that the exchange likely serves over 100 million users, is not a small number.

The criminals then contacted the customers, posed as Coinbase support, and attempted to coax them into handing over the private keys to their cryptocurrencies. You probably recognize such emails. Afterwards, they contacted Coinbase and demanded $20 million to destroy the data. „We said no,“ Coinbase now boasts, effectively leaving its customers in the lurch to save an amount the exchange earned on an average day last year.

The result is that the criminals now possess private data on “less than one percent”—in other words, up to a million—customers: names, addresses, phone numbers, emails, last digits of the social security number, pictures of IDs, driver’s licenses, proof of residence, as well as information about account balances and transactions. It’s easy to imagine how serious the security risks are for affected customers.

Coinbase is responding by compensating customers who fell for scammers impersonating Coinbase, imposing heightened measures on affected accounts with large withdrawals—the exchange is apparently aware of the physical risks to its customers—and beefing up its security measures. Additionally, Coinbase is offering a $20 million bounty for information that leads to the arrest of the perpetrators.

One can only conclude that identity verification procedures from the pre-digital era are on the verge of leading to disaster. There are already modern alternatives to replace such procedures, such as a tokenized ID that can be „passported,“ so only one service provider needs to collect the data while users can log in to many exchanges with it. A similar approach is OmniPersona from ecrop for the German crypto security token, even though implementation still remains somewhat clunky.

Together with the increasingly frequent kidnappings and attacks on cryptocurrency owners, this incident should finally lead to a rethink about how to minimize the necessary damage to privacy that is, unfortunately, demanded in the fight against money laundering.