> Cryptocurrency exchange Coinbase knew as far back as January about a customer data leak at an outsourcing company connected to a larger breach estimated to cost up to $400 million, six people familiar with the matter told Reuters.
https://www.reuters.com/sustainability/boards-policy-regulat...
> On May 11, 2025, Coinbase, Inc., a subsidiary of Coinbase Global, Inc. (“Coinbase” or the “Company”), received an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems.
https://www.sec.gov/Archives/edgar/data/1679788/000167978825...
From what I've seen, this is going to be a common subheading to a lot of these stories.
They also asked if I had cold storage. I told them I had a fridge (also true).
The author got a phishing call and reported it. Coinbase likely has a deluge of phishing complaints, as criminals know their customers are vulnerable and target their customers regularly. The caller knowing account details is likely not unique in those complaints; customers accidentally leak those all the time. Some of the details the attacker knew could have been sourced from other data breaches. At the time of complaint, the company probably interpreted the report as yet another customer handling their own data poorly.
Phishing is so pervasive that I wouldn't be surprised if the author was hit by a different attack.
There's tons of options. Malware, evil maid, shoulder surfing, email compromise, improper disposal of printouts, prior phishing attack, accidental disclosure.
Their fix was to put a piece of paper over the passwords.
What a time.
Bitcoin, and really fintech as a whole, are beyond reckless.
With Bitcoin you do not get government bailouts like what happened with the beyond reckless banks in 2008.
Even leaving your laptop unlocked for seconds in the office would have someone /pwn it in slack and get flagged by security.
If there’s one thing they took extremely seriously it was data security.
Not saying it is untrue, but it is definitely true that Coinbase has never lost customer funds while operating in an environment with 0 safety nets and being one of the most lucrative targets.
This leak over customer data suggests that they should treat that with as much obsession as they do with their private keys.
[1] https://www.kalzumeus.com/2019/10/28/tether-and-bitfinex
Sending unsolicited bills for unrequested services is a great way to make sure nobody takes your email seriously
The "recordings" are of a phisher attempting to get information from the author. It proves nothing about what Coinbase knew.
The author turned the information over to Coinbase, but that doesn't prove Coinbase knew about their breach. The customer could have leaked their account details in some other way.
I stand by my statement that the title is clickbait, as it's misleading on two fronts:
- It's the email, not the call recording that proves what Coinbase knew, but "recordings prove" sounds more sensational
- The email proves that Coinbase was aware of a sophisticated attack against a single user. You didn't have enough information to prove that there was a large scale leak of Coinbase customer data. There are sophisticated attacks against individual Coinbase users all the time due to the value of the accounts there.
Edit: Nevermind; I see you addressed that here:
I'm not trying to be recalcitrant, rather I am genuinly curious. The reason I ask is that no one talks like a LLM, but LLMs do talk like someone. LLMs learned to mimic human speech patterns, and some unlucky soul(s) out there have had their voice stolen. Earlier versions of LLMs of LLMs that more closely followed the pattern and structure of a wikipedia entry were mimicking a style that that was based of someone elses style and given some wiki users had prolific levels of contributions, much of their naturally generated text would register as highly likely to be "AI" via those bullshit ai detector tools.
So, given what we know of LLMs (transformers at least) at this stage it seems more likely to me that current speech patterns again are mimicry of someones style rather than an organically grown/developed thing that is personal to the LLM.
Not saying the article is bad, it seems pretty good. Just that there are indications
Way too verbose to get the point across, excessive usage of un/ordered bullets, em dashes, "what i reported / what coinbase got wrong", it all reeks of slop.
Once you notice these micro-patterns, you can't unsee them.
Would you like me to create a cheat sheet for you with these tell tale signs so you have it for future reference?
And so at this point the excessive bullet points and similar filler trash is also just an expression of whatever stupid people think they prefer.
Maybe I'm being too harsh and it's not the raters are stupid in this constellation, rather it's the ones thinking you could improve the LLM by asking them to make a few very thin judgements.
EDIT: having said that, many of the other articles on the blog do look like what would come from AI assistance. Stuff like pervasive emojis, overuse of bulleted lists, excessive use of very small sections with headers, art that certainly appears similar in style to AI generated assets that I've seen, etc. If anything, if AI was used in this article, it's way less intrusive than in the other articles on the blog.
The sentence-level stuff was somewhat improved compared to whatever “jaunty Linked-In Voice” prompt people have been using. You know, the one that calls for clipped repetitive phrases, needless rhetorical questions, dimestore mystery framing, faux-casual tone, and some out-of-proportion “moral of the story.” All of that’s better here.
But there’s a good ways left to go still. The endless bullet lists, the “red flags,” the weirdly toothless faux drama (“The Call That Changed Everything”, “Data Catastrophe: The 2025 Cyber Fallout”), and the Frankensteined purposes (“You can still protect yourself from falling victim to the scams that follow,” “The Timeline That Doesn't Make Sense,” etc.)…
The biggest thing that stands out to me here (besides the essay being five different-but-duplicative prompt/response sessions bolted together) are the assertions/conclusions that would mean something if real people drew them, but that don’t follow from the specifics. Consider:
“The Timeline That Doesn't Make Sense
Here's where the story gets interesting—and troubling:
[they made a report, heard back that it was being investigated, didn’t get individual responses to their follow-ups in the immediate days after, the result of the larger investigation was announced 4 months later]”
Disappointing, sure. And definitely frustrating. But like… “doesn’t make sense?” How not so? Is it really surprising or unreasonable that it takes a large organization time, for a major investigation into a foreign contractor, with law enforcement and regulatory implications, as well as 9-figure customer-facing damages? Doesn’t it make sense (even if it’s disappointing), when stuff that serious and complex happens, that they wait until they’re sure before they say something to an individual customer?
I’m not saying it’s good customer service (they could at least drop a reply with “the investigation is ongoing and we can’t comment til it’s done”). There’s lots of words we could use to capture the suckage besides “doesn’t make sense.” My issue is more that the AI presents it as “interesting—and troubling; doesn’t make sense” when those things don’t really follow directly from the bullet list of facts afterward.
Each big categorical that the AI introduced this way just… doesn’t quite match what it purports to describe. I’m not sure exactly how to pin it down, but it’s as if it’s making its judgments entirely without considering the broader context… which I guess is exactly what it’s doing.
Screenscraping malware is fairly common, and it’s not unreasonable for an analyst to look at a report like this and assume that the customer got popped instead of them.
Customers get popped all the time, and have a tendency to blame the proximate corporation…
I don't know why you think acknowledgement of your report is concrete evidence that coinbase knew about their breach months before it was disclosed.
They paid a pittance and permanently buried the report even though its release wouldn't have posed a risk anymore.
Did the support agents have the ability to send arbitrary emails from commerce@coinbase.com? If not, how did the scammers send a properly signed email?
What does this mean?
> While both amazonses.com and coinbase.com DKIM checks passed, this is exactly how phishing works—attackers can configure Amazon SES to send "from" coinbase.com
How does Amazon SES let you sign an email from a domain you don't control? Unless this means that somehow the scammer had access to DNS records for coinbase.com which indicates some really crazy compromise somewhere either of Coinbase or the DNS chain.
I'm very confused.
Coinbase is good for on-ramping, bad for storage. You know, the entire point of cryptocurrency.
Even if they find the inside individuals, how could anyone ever present a legal case?
They send github repo and as soon as you run it they send rejection after stealing tokens and installing keylogger. Pretty sophisticated and the frontend of the codebase looked polished as well.
The whole industry (except deribit) is a shit show of barely working apis that aren’t reliable or accurate in any way. It’s completely routine to not be able to get an order status for minutes at a time. Or to get fills after an order has been rejected. Or a week after a cancel confirmation message.
Coinbase is actually one of the worst offenders for this. Coinbase Prime, their supposed institutional grade offering especially so.
So it doesn’t surprise me at all that the same issues are happening more widely.
To be clear: deribit have always been efficient, accurate, reliable and generally excellent. If you must trade crypto, do it there so you’re Ops and Support people don’t have to suffer.
- excessive em-dashes
- useless words, verbosity
Then I reached out to customer service several times - no answer. Then I contacted dedicated channel for privacy related questions with all proofs of mishandling - radio silence.
It’s sad to see these companies mishandle our very personal data and get away with this.
If so and if the US had a sane administration maybe, this would be acted upon, but these days, anything goes as long as you 'donate' to the ballroom.
Looking into this more now I see SEC Rule requiring disclosure within 4 business days of determining a cybersecurity incident is "material"
There is a big list of SEC violations as a result: 1. Late Disclosure (Item 1.05) If materiality was determinable in January → 4-day rule violated Penalty: Fines, enforcement actions
2. Misleading Statements/Omissions (Rule 10b-5) Any public statements about security between Jan-May could be problematic Omitting known material risks = securities fraud
3. Inadequate Internal Controls (SOX) Failure to properly investigate and escalate user reports Inadequate breach detection systems
4. Failure to Maintain Adequate Disclosure Controls My report should have triggered disclosure review Going silent suggests broken escalation process
Maybe I am in minority here but just wanted to provide this feedback: The background animation of the blog page is really distracting and making it difficult to focus on the actual content.
