Article Details

Security researcher calls BS on Coinbase breach disclosure timeline. Claims he reported the attack in January after fraudsters tried to scam him. A security researcher says Coinbase knew about a December 2024 security breach during which miscreants bribed its support staff into handing over almost 70,000 customers' details at least four months before it disclosed the data theft. The researcher, Jonathan Clark, says he knows this for a fact because he reported the attack to Coinbase on January 7 after the criminals tried to scam him. According to Clark, Coinbase's Head of Trust and Safety Brett Farmer responded to his "comprehensive security report" the same day he emailed it to the company's security@ address. In a blog about the incident, Clark says Farmer replied: "This report is super robust and gives us a lot to look into. We are investigating this scammer now." And then, he says, he never heard another word from Coinbase, despite four follow-up emails sent in January. As a refresher: In May, Coinbase disclosed the breach to the US Securities and Exchange Commission. At the time, the company said the data thieves stole 69,461 people's private and financial information, including their name, date of birth, the last four digits of their Social Security number, address, phone number, email address, driver's license number, passport number, national identity card number, transaction history, balance, transfer, and the date customers opened their accounts. Coinbase said the breach took place on December 26, 2024, but wasn't discovered until May 11. The crooks also tried extorting the company for $20 million. Clark disputes this timeline, and says he was attacked on January 7 by scammers using detailed personal data he believes was stolen from Coinbase. It started with an email that had this subject line: Order N54HJG3V: Withdrawal of 2.93 ETH initiated. A representative will be in touch shortly before we mark the payment completed A few minutes later, his phone rang and an "American-sounding" woman who claimed to be a Coinbase fraud prevention analyst told Clark that she was calling to confirm a large transfer from his account. "What happened next was chilling," Clark said in a November 16 blog. "She knew my social security number. She knew my Bitcoin balance down to the decimal point. She knew personal details that should have been impossible for a scammer to possess." Clark noted several red flags with this email and call. He asked the caller to prove she was from Coinbase, and she offered to read him his personal info - not to verify her own identity.  The email was sent through Amazon SES (Simple Email Service) - not Coinbase's mail servers - and the caller claimed she could not send Clark an email from a verified Coinbase address.  When he asked if he could call her back, she said that wouldn't work because she was "in the fraud department." So he dialed the number that she had called him from and it was a Google Voice number. Finally, the caller wanted him to move his cryptocurrency to "a cold wallet" and started walking him through the process. "This is a classic social engineering tactic - get the victim to move funds to an address controlled by the attacker," Clark wrote. After the call, when he logged into his Coinbase account, it didn't have any new login attempts or notifications about the fake transfer. Clark says he emailed all of this, plus additional details, to the Coinbase security team on January 7, received the response from Farmer promising a probe, and then … nothing. He claims he followed up on January 13, 17, 22, and 29 and did not receive any responses. Then in May, Coinbase disclosed the intrusions. "For four months, I had concrete evidence that attackers possessed detailed Coinbase customer data," Clark wrote. "For four months, I repeatedly asked Coinbase to explain how this was possible. And for four months, my questions went unanswered." "Coinbase never replied to a single follow-up email after Brett Farmer's initial response," he continued. "Despite his promise that they were 'investigating this scammer,' the most important question - how the attacker obtained my private account data - was met with complete silence." The Register's inquiry to Coinbase was met with a similar silence, but we will update this story should that change.