Coinbase information leakage may cause US$400 million in losses, and KYC becomes a hacker gold mine?

Author: Fairy, ChainCatcher

Edited by: TB, ChainCatcher

“The loss from this incident is expected to be approximately $180 million to $400 million.”

After all, a political review cannot stop the attacks of social workers...

In early April, we reported that Coinbase users were frequently defrauded of precision, with annual losses of up to $300 million. Now, the truth is gradually emerging.

Yesterday, Coinbase disclosed core details that hackers stole less than 1% of active users by bribing overseas customer service personnel. The internal security risks that have been hidden for a long time are finally exposed to the sun.

Glory has not dispersed, but crisis has come

Less than a week after the positive news of the S&P 500, Coinbase safety scandals followed, and the stock price immediately fell, falling 7.2% intraday.

In early April, The Block co-founder Mike Dudas received a notice from Coinbase that his account was accessed by employees in violation of regulations, and internal data permission management had caused concerns at that time. (Related reading: Loss of 300 million US dollars in a year, Coinbase users are frequently deceived, and there is a "insider" leaking information behind it? )

Coinbase's announcement yesterday disclosed the full picture of the incident for the first time: overseas customer service personnel were bribed by criminals, copied the data of less than 1% of monthly active users, and tried to impersonate the official to commit fraud. The hacker tried to blackmail Coinbase and demanded $20 million in hush fees. Coinbase refused to pay and offered a reverse reward of the same bonus, and pursued and convicted the envoy behind the scenes.

At the same time, the question of whether Coinbase falsely reports the number of users has also been pushed to the table. The SEC is investigating the key data of "100 million verified users" it disclosed in its registration documents, and the metric was quietly discontinued two years later. Although its chief legal officer Paul Grewal responded that this is a legacy investigation by the previous government and the relevant information has been fully disclosed, however, amid internal and external troubles, Coinbase has once again become the focus of public opinion.

Can Coinbase still be trusted?

Coinbase’s credibility is being tested unprecedentedly. For a listed crypto exchange with "safety and compliance" as its core selling point, sensitive data leakage, surge in social work fraud risks and potential regulatory penalties are undoubtedly a multi-line "slap in the face".

Judging from the content disclosed in the Coinbase announcement, the information stolen by the hackers almost covers the user's complete KYC file: including name, address, phone number, email, ID card image, and even some bank account information. This type of information fell into the hands of criminals, and in addition to providing "precision ammunition" for subsequent social worker attacks, phishing emails and fund theft, it may also be resold on the dark web, posing a long-term hidden danger.

Let’s look at Coinbase’s response measures. Coinbase promises to fully compensate users who transferred money to attackers due to this incident and launch a systematic fix for security vulnerabilities. Strengthen customer service authority management and add new customer service centers in the United States to improve supervision capabilities. At the same time, Coinbase will also increase its internal investment in potential threat detection, automatic response and attack simulation testing.

Although these measures are a way to make up for the failure, they also release Coinbase's attitude of "front-on-front" one. Whether this series of remedial measures can truly curb risks and win the trust of investors and users again depends on time and actual results.

KYC dispute rekindled

KYC's original intention is anti-money laundering and anti-terrorism financing, but in real operations, it has also become the most concentrated information database for user privacy. Coinbase This data breach has once again pushed the controversy over the KYC system to the forefront.

During this storm, the founders and CEOs of many projects spoke out and reflected on three issues:

1. Is "Privacy Exchange Security" worth it?

Nansen CEO Alex Svanevik bluntly stated that the KYC system requires users to submit a large amount of sensitive information, such as ID documents, passports, water and electricity bills, but in reality, "almost no real criminals are caught."

"That's why we don't collect KYC," said Nick Neuman, CEO of Casa Wallet. In his opinion, KYC will only provide hackers with more attacks.

2. Institutional loopholes aggravate user risks

The platform collects sensitive information of users. If it lacks the corresponding protection capabilities, it will put users at greater risk. Wintermute CEO Evgeny Gaevoy stressed that Coinbase did not disclose information leakage in a timely manner, which is "the dark side of the stupid and absurd KYC/AML system we are in." He believes that the system “provides geopolitics and law enforcement, but sacrifices citizens’ privacy and puts heavy burdens on businesses, making it easier for criminals to commit blackmail, kidnapping and fraud.

3. Information honeypot, should we continue to increase our investment?

Arthur, founder of DeFiance Capital, posted on the X platform that Coinbase really needs to solve their problems. If the Coinbase platform eventually becomes a honeypot for users' important information, there is no reason to ask for continuous KYC.

For the crypto industry, when “compliance” becomes a reason to force users to collect sensitive information, is the platform ready to assume the ensuing data security responsibility? This discussion around KYC is not the first time, but this real case makes the controversy seem even more acute: the tension between regulatory compliance and user privacy is becoming a difficult problem that the crypto industry cannot avoid.

Compliance is the ticket to the mainstream, but it is also an alchemy stone for data security. It not only tests technical strength, but also queries the platform's sense of responsibility and governance level.

This is a road without looking back, and it is also a long and difficult practice.

The road ahead is long, and the road is long.