Coinbase warns of up to $400 million hit from cyberattack, Internet blames KYC for it
The hack involved the payment of multiple contractors and employees working in support roles outside the U.S. to gather information
Coinbase has predicted a financial impact of between $180 million and $400 million due to a cyberattack that compromised the account data of a “small subset” of its customers, according to a regulatory filing made Thursday, reports Reuters.
The company revealed that it received an email from an unknown threat actor on May 11, who claimed to possess sensitive data regarding certain user accounts and internal documents. While some personal information, such as names, addresses, and email addresses, was stolen, the hackers did not gain access to users’ login credentials or passwords.
Coinbase also stated it would reimburse customers who were tricked into sending funds to the attackers.
The hack involved the payment of multiple contractors and employees working in support roles outside the U.S. to gather information. Coinbase confirmed that it has fired those involved.
In a separate issue, the U.S. Securities and Exchange Commission (SEC) is reportedly investigating whether Coinbase misrepresented its user numbers.
Sources familiar with the matter told Reuters that the SEC is also scrutinizing whether the potential inaccuracy in user data suggests the company may have failed to comply with know-your-customer (KYC) regulations, a key requirement for firms registered with the SEC. However, a Coinbase spokesperson denied any probe into the company’s compliance with KYC or Bank Secrecy Act rules.
Despite its growth, the crypto sector continues to grapple with security challenges, underscored by recent high-profile hacks like the USD 1.5 billion breach at Bybit earlier this year. Industry experts warn the attack may lead to tighter employee vetting and increased reputational risks for crypto firms.
Complicating matters, the US Securities and Exchange Commission (SEC) has been investigating Coinbase over allegations that it misstated user figures in the past.
While the agency dropped a separate lawsuit accusing Coinbase of failing to register with the SEC, sources told Reuters that the inquiry into Coinbase’s “verified user” metric persists, even though the company stopped reporting that figure more than two years ago.
Coinbase denied any SEC probe related to its compliance with know-your-customer (KYC) or Bank Secrecy Act regulations, with the company’s chief legal officer describing the investigation as a legacy issue from a prior administration.
In response to the cyberattack, Coinbase refused a USD 20 million ransom demand and is cooperating with law enforcement while offering a USD 20 million reward for information leading to the hackers.
The exchange is also launching a new US support hub and implementing enhanced security measures to prevent future incidents.
Meanwhile, Coinbase faces a class-action lawsuit filed in New York, accusing the company of failing to safeguard personally identifiable information of millions of its current and former users.
