Coinbase Foils Extortion Attempt

Mars1 November 30, 2022

Coinbase fended off a blackmail attempt from a malicious actor who threatened to expose customer records if the exchange didn’t pay a $450,000 ransom.

The blackmailer claimed to have access to 306 million decrypted customer records. Upon investigation and communication with the blackmailer, Coinbase’s security team determined that there had been no security breach or theft of customer records.

Coinbase officially claims to have 108 million verified users in more than 100 countries. It averaged 8.8 million monthly active users in 2021.

Coinbase normally collaborates with law enforcement when it comes to illegal activity. However, it did not elaborate on whether it would pursue the law enforcement route in this case.

“This is an absolutely baseless extortion attempt. The individual is falsifying information to come across as legitimate and they’re just trying to extort money out of companies. I’m sure we’re not the first company on their list or the only scam they have running,” Coinbase Chief Information Security Officer Jeff Lunglhofer told Coindesk.

Coinbase did take the opportunity to highlight its bug bounty program, which offers rewards for pinning down potential security holes. It offers rewards ranging from $200 to $50,000 for finding potential issues with its system. It recently added categories like Fraud Loss, Staking Loss, MNPI exposure (also known as “unfair market advantages”), and third-party provider issues.

In the November 30 blog post about its bug bounty program, Coinbase cited a recent case in which Uber’s former chief security officer, Joe Sullivan, was convicted of charges related to the covering up of a $100,000 ransom payment in a similar extortion scheme.

Coinbase cited the extortion attempt as the wrong way to report a bug and receive a bounty. The malicious actor failed to validate the claim and threatened to exploit the alleged bug. The blackmailer also threatened to contact major news sites like Vice and CBS about the allegedly exposed customer records.

Lunglhofer especially cited the need to avoid attempts at extortion when making a bug report, calling it criminal.

“A bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings,” says Lunglhofer. “Ransom demands are an entirely different matter.”

It’s not like Coinbase would refuse to pay out a properly reported bounty. In the ten years of its bug bounty program, it paid $400,000 in bounties and resolved 600 reported bugs. The largest one went to a researcher who found a vulnerability in its trading interface and received $250,000 in February 2022.

Tags: ,

More Stories

Lawsuits Pile Up at End of Digital Asset Markets’ Rough 2022

Mars1 December 29, 2022

U.S. Judge Recuses Herself From Sam Bankman-Fried Fraud Case

Mars1 December 28, 2022

Visa Promotes Idea of Recurring Payments for Ethereum

Mars1 December 21, 2022

You may have missed

NASA Calls for Applicants for Two Mars Simulation Missions

Mars1 February 22, 2024

AX-3 Returns to Earth After Successful Mission

Mars1 February 10, 2024

ULA, NASA Nearly Ready to Launch Astrobotics’ Lunar Lander

Mars1 January 4, 2024

NASA Continues Work on Advanced Air Mobility Systems With Aircraft Noise Study

Mars1 December 8, 2023

NASA Observes 25th Anniversary of International Space Station

Mars1 December 8, 2023