Coinbase fended off a blackmail attempt from a malicious actor who threatened to expose customer records if the exchange didn’t pay a $450,000 ransom.
The blackmailer claimed to have access to 306 million decrypted customer records. Upon investigation and communication with the blackmailer, Coinbase’s security team determined that there had been no security breach or theft of customer records.
Coinbase officially claims to have 108 million verified users in more than 100 countries. It averaged 8.8 million monthly active users in 2021.
Coinbase normally collaborates with law enforcement when it comes to illegal activity. However, it did not elaborate on whether it would pursue the law enforcement route in this case.
“This is an absolutely baseless extortion attempt. The individual is falsifying information to come across as legitimate and they’re just trying to extort money out of companies. I’m sure we’re not the first company on their list or the only scam they have running,” Coinbase Chief Information Security Officer Jeff Lunglhofer told Coindesk.
Coinbase did take the opportunity to highlight its bug bounty program, which offers rewards for pinning down potential security holes. It offers rewards ranging from $200 to $50,000 for finding potential issues with its system. It recently added categories like Fraud Loss, Staking Loss, MNPI exposure (also known as “unfair market advantages”), and third-party provider issues.
In the November 30 blog post about its bug bounty program, Coinbase cited a recent case in which Uber’s former chief security officer, Joe Sullivan, was convicted of charges related to the covering up of a $100,000 ransom payment in a similar extortion scheme.
Coinbase cited the extortion attempt as the wrong way to report a bug and receive a bounty. The malicious actor failed to validate the claim and threatened to exploit the alleged bug. The blackmailer also threatened to contact major news sites like Vice and CBS about the allegedly exposed customer records.
Lunglhofer especially cited the need to avoid attempts at extortion when making a bug report, calling it criminal.
“A bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings,” says Lunglhofer. “Ransom demands are an entirely different matter.”
It’s not like Coinbase would refuse to pay out a properly reported bounty. In the ten years of its bug bounty program, it paid $400,000 in bounties and resolved 600 reported bugs. The largest one went to a researcher who found a vulnerability in its trading interface and received $250,000 in February 2022.