I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
"They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime." https://www.nytimes.com/2025/04/24/magazine/crybercrime-cryp... (gift article)
And this crypto CEO in Toronto was kidnapped for a $1M ransom: https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-bu...
The parent post was someone literally hosting a crpyto conference, and this one was someone who runs a crypto company. A sibling story describes the father of a 'cryptocurrency influencer.' Is there any evidence of real crime happening which was targeted at Coinbase leak data, or is this just vibes
Well you start with the low-hanging fruit. Also I imagine these things take a while to plan.
The point is, it didn't need a coinbase data breach to identify these victims - they're high profile, public users of crypto.
Seems to be a whole thing in France too: https://www.theguardian.com/world/2025/may/04/french-police-....
Why is this such an issue with crypto?
Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.
Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?
If you're kidnapping a generic very rich person, how are you expecting them to pay the ransom, a big burlap sack of cash? There's a lot that can go wrong there. A bank transfer or other conventional financial instrument? Few criminals would be comfortable with that approach. (John Grisham novels, and 'Archer's beloved bearer bonds, aside, it's virtually impossible to make this untraceable). Magic internet money is presumably far less messy.
Also, a decent proportion of crypto-millionaires came by their riches in... not entirely above-board ways (in particular, securities fraud; all those pump and dump scamcoins are paying off for _someone_), and may be reluctant to involve the authorities. And the crypto industry as a whole is unusually comfortable with extortion; hacked crypto companies paying a kind of bounty to hackers to get the rest of the funds back is a common thing.
They can use their bank account to buy crypto and then pay the ransom. Kidnapping is a thing in latin america before crypto became cool.
> They can use their bank account to buy crypto and then pay the ransom.
This is actually more difficult than it sounds. Most banks and crypto exchanges won't allow a person to make meaningfully large crypto transactions without some account history.
“Hey, cryptocurrency exchange, I, a random rich person, would like to, having never interacted with you before, buy a million dollars of bitcoin and transfer it out. Today, please.”
That is simply not going to happen.
Eh, million dollars would not raise a single eyebrow from an exchange side. Your bank, maybe, will have some questions about the transaction, but the things they can do to prevent you spending your money are thankfully fairly limited.
How long do you think it takes to create an account, get your KYC documents verified, get your trading and withdrawal limits raised to a million or more, transfer funds from your brokerage account, buy tokens and then re-verify when you try to transfer the tokens out of the exchange?
You'd be lucky to complete this in less than a week.
My experience with banks in UK / EU is that they will bother you for much smaller amounts than 1M. I had banks bother me for 10k transfers and other banks completely ignore me for 100k transfers.
Companies do exactly this frequently to get their hacked servers and data decrypted.
It happens with cash sometimes but people are limited to the amount they can get out of an ATM where with crypto you can force someone to hand over all their wealth with a few keystrokes.
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
It's worked before; Arthur Andersen ceased to exist after the Enron accounting scandal.
So you’re saying that one year of complementary credit monitoring by Experian isn’t enough??? /s
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
I think that the right lesson to learn here is not "I should store my money with a company I can't trust not to advertise where I live, but without telling them where I live ".
No one is forced to use a "crypto exchange" in the first place.
How can I check if I am affected by this?
If you were affected, you should have gotten an email yesterday.
I checked my email to see if I received anything and, interestingly, I received an email from Coinbase on April 14 that they're updating the User Agreement. The new terms only apply to disputes initiated by me or Coinbase after May 15, 2025. Timing seems suspect.
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
> I'm surprised at the lack of security if I’m honest
This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.
> How does Coinbase protect data in transit and data at rest?
> Coinbase employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Coinbase encrypts all confidential data transfers to prevent interception or tampering of that data by unauthorized third parties.
Coinbase does business in the EU and thus, already has to comply with the GDPR. Moreover, the US also requires safeguards for sensitive customer information by financial services companies.
> Companies should seriously consider implementing GDPR even in the US
... and save the data in US cloud where everybody can access it.
It is really funny how FAANG can get away with data colkection in spite of GDPR.
Yeah this is really frustrating, especially the way the EU commission keep coming up with workarounds that the court will almost certainly strike down.
And yet, Coinbase goes Scott free
Someone, someone at that company should be going to prison for negligence
Can you point to a specific law that was broken where prosecutors have a chance at jail time, or is this a fantasy of yours?
The comment said "should be" which you glibly interpret as "should be going to jail based on the law" but could very easily be "the law should be such that this kind of negligence results in jail time".
I assume they mean that someone from the company going to prison for this would be a just outcome, not that a path to such an outcome exists today (it likely does not).
> Someone, someone at that company should be going to prison for negligence
That's not how capitalism works. /s
"decentralized currency"
Bitcoin is plenty decentralized. Coinbase deals with dollars, that's the non-decentralized part.
so, the part that makes bitcoin useful to 99% of the people is the non-decentralized part.
Sounds like an appendix.
Only because of US law. It didn't have to be this way; the US wanted to destroy Bitcoin as a currency because it threatened their surveillance state, and they effectively have.
No entity is obligated to enforce contracts in BTC. The real reason what makes a currency valuable.
Btc whales want to destroy the dollar because it benefits them.
Neither the dollar or crypto are anything but social illusions, neither have an inherent right to exist.
It’s just people manipulating people. Such an intellectually dishonest forum to sit here and discuss meaningless layers of obfuscation.
The most important thing to any individual is enough other humans around their own life isn’t so hard. Specific humans, like those on this forum, are not essential.
You all can bleat on as hard as you want about the existence of crypto but it’s not an evenly distributed belief. And your individual value is non existent to the majority on the planet. No reason to prop up your hallucinations
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
The US Government didn't provide high-volume, bulk access to this extremely sensitive information to contractors in foreign countries with no controls over their ability to mass-exfiltrate the data.
Coinbase is the entity that set up this dangerous system.
Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.
Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.
The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.
Fair enough, and it does sound like they had limits given that not all customer data was exfiltrated but those limits were probably far too high at tens of thousands affected.
Generally, staff do not have unfettered access to all customer data in most financial companies.
You don't think Coinbase is responsible for restricting access to member data for support agents?
There is no valid reason why Coinbase or any other financial services company should ever be excepted from AML/KYC laws. If anything the laws ought to be even tighter to slow down financial flows to criminals and sanctioned entities.
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.
Crypto? It's wild, and people think it's wild.
I tried to use Coinbase a few months ago to pay for something, and I couldn't even make a transaction because it was deemed suspicious, and my account got locked or something.
Someone with a lot of cryptocurrency in Coinbase is also quite likely (at least relative to the average person) to have lots of on-chain cryptocurrency, too, though.
of course, you need to point out that Crypto has ended up being indistinguishable from the banking system in all the important parts.
The distinguishing parts are things you don't want: easily corrupted, grifted, cheated and otherwise duped.
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
> The median person does not have $10k sitting in a checking account that they can easily withdraw.
That's true, finding someone with 10k is not as easy as picking a person at random, but it is as easy as driving to the right parking lot and picking a person at random.
Pulling $10k out of the global banking system by physical coercion in a way that isn't reversible and won't get you caught is hard problem, you might as well attempt to rob the bank instead. That's why most of the "successful" criminals in that space use social engineering and scamming where the victim is a unwitting participant rather than kidnapping someone.
With crypto, no bank or other middleman involved, it's like stealing physical cash/gold/diamonds from someone, if you know they have it in their possession, so violence can be a lot more successful at coercing a change of possession.
Good point, perhaps the lower $ examples are about other countries where that may be a lot more than median transactional account holdings and maybe that concern is part of why folks were using crypto holdings.
Bank transactions are reversible, crypto transactions are not.
Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.
The average American can't deal with a $1000 emergency.
Maybe they wouldn't be able to cover other planned expenses with said loss or something but the median (I intentionally avoid referring to "average" for reasons also mentioned in this article) amount American have access to in their transactional bank accounts is $8,000 according to the Federal Reserve: https://www.fool.com/money/research/average-savings-account-...
Someone else made a great mention though: Coinbase didn't just serve the US. For the vast majority of countries these amounts are more than the yearly disposable income of a typical household. From that angle the numbers in the stories make a bit more sense.
I just switched to iPhone from a pixel device and I’m shook by all the spam calls. How do iPhone users deal with this?
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
I would have assumed an unknown caller was defined as any number not in your contacts. what is it instead?
In the realm of Caller ID, a phone number may be "PRIVATE" (or "WITHHELD") or "UNKNOWN". An "UNKNOWN" Caller ID cannot display any name nor any number, because... they are not known to the switch.
Therefore, an unknown number that can be blocked/ignored by your phone or the app is one that doesn't support Caller ID's name or number functions. It doesn't have anything to do with who's in your Contacts app, because of course those consist of known names and known numbers.
There is a defined type “Unknown” which I think you’re describing but it’s Not exactly how the iOS feature works. It says let’s through those in your contacts or who you’ve had recent conversations with and Siri suggestions. It’s basically a dumb proxy for letting through people you might actually want to talk with. Except sometimes you don’t know who/where/when those calls are coming from and I haven’t spoken to them before.
it is super fucking easy. it has been a decade since I answered an unknown number. if plumber calls (and I dont have her/his number stored) it goes to voicemail. I then call known company number. The communication is always one-way, I call you. I never answer. You follow this one very simple rule and you good :)
Theres plenty of situations where this doesn't work. If you're called from a business central line and you don't know their extension you just call back and get the normal call tree which can take you forever to get through. Or if you're on the "cancellation list" for an appointment if they can't get through to you, they don't wait for you to call back, they just go on to the next person to schedule in their open slot.
Taxi cab dispatchers will do this for sure. They do callbacks to “confirm” your ride, especially when busy, because if you don’t answer, they simply drop your request on the sticky office floor.
this is a loss of business for them, not my problem. it is 2025, if they do not have map where i can track where they are etc.. imma not going to be using that service...
Glad it works for you, I’m not allergic to the phone like seemingly everyone else so I strive to minimize phone tag BS and would rather answer the calls I get and filter out known spam, it’s not rocket science it’s probably only 2 lines of code in the phone app
If call is spam and ignore spam option enabled, send call to voicemail.
That’s it, a simple line of code. Just make the option selectable and it’s done.
iphone has been enshittified for several years now, it seems apple engineers are not using their own phones any more. I can understand it - when you're a millionaire just from your corporate job you won't be a stressed power user of your own iphones.
It’s not that it got worse, this feature has just never been great. It just feels half baked , which I agree a lot of Apple software has been trending towards. That said, what has increased is the volume of spam calls. So the importance of this feature has also increased.
It’s sad because this seems like such a low hanging fruit for a big improvement. At some point in the relatively recent past, they added the indicator of the caller being a spammer or telemarketer. Seems like that would have been a good time to also enhance this filter but it seems nobody ever connected the dots on that one. Or if I’m being even more cynical, some engineer actually decided he’d rather everyone see his work on every incoming spam call instead of his work quietly improving everyone’s experience
>some engineer actually decided
No sane person would flaunt Apple secrecy in such a fashion whilst employed there.
>instead of his work quietly improving everyone’s experiBence
Laughable that you feel that Apple engineers have the capacity for this kind of desire in 2025. If they did, Xcode would be way better to use. They cant even quietly improve their own experience.
Whatever man, I'm not trying to shit on them like you want me to. I think adding this simple feature that is likely little more than a line or two of code is a night an day comparison to overhauling something like Xcode to meet your definition of what "better" means
That seems...overly dramatic. Further, enshittification as a concept generally refers to VC/growth-hacking style situations.
Also, on TMobile if you dial #662#, it'll block the Scam Likely calls at the carrier.
Oh man. They start at 7AM and end around 4-5ish PM. I was hoping the war between Pakistan and India would make these stop. Jk obv. Nobody likes wars. But other than Tmobile are there similar methods for different providers? It can get so annoying. I did restrict calls from known numbers only.
Verizon (and I assume many other US carriers) offer junk call identification which your iPhone can block if you have ”Silence Junk Callers” toggled in Settings > Phone > Call Blocking & Identification.
https://support.apple.com/guide/iphone/block-or-avoid-unwant...
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
I can't block all calls, but the screening feature on my Pixel did an immense job of filtering out the spam.
answer the call and immediately put it on mute. they will hang up and stop calling
I have my phone set to silence Unknown callers. What did you have setup on the Pixel before to block them?
That’s too heavy handed for me. I get valid calls that I need to answer that aren’t in my contacts.
The calls they flag as potential spam and telemarketers has been 100% accurate in my experience so i wish I could just silence those
Usually you are expecting these calls tho so you can turn off that feature when you do. If said person calls often, add them to your contacts.
They could also just easily enhance the feature right? It’s an extra if statement in the code. I get enough calls that it’s not practical to constantly edit a setting that’s like this. There’s nothing else in the settings app I change regularly, it’s mostly set and forget.
It’s much better to just silence every spam call manually instead of having to go into voicemail, listen , decide if I need to respond, hope that I’m acting quickly enough that the other person answers when I ring them back, etc. i imagine this works for a lot of people. But if you get enough calls, or get urgent calls for any reason, it’s not ideal.
For those that can’t imagine the use cases. Consider you are primary contact for your elderly parent. If they fall in the middle of the night you might be getting a call from any random number. Do not disturb isn’t an option and sometimes the EMS guys will call you from their personal cell phone. Even some services like home security will call from random numbers. If ask a plumber to come over, some random technician will call from their device to talk. If a potential client gets my number somehow, I’d prefer to answer versus them get my voicemail.
You have to also factor in that a lot of people don’t even like leaving voicemail so they don’t leave one and I’m left guessing if it mattered that
I just see if they leave a message. If they don’t, they’re sorted. If they do I can always call them back.
I need calls from unknown numbers (doctors, vendors, etc.) Pixel would flag spam calls and not ring, all the unknown-but-valid callers got through without issue.
You turn off the notifications from unknown callers? How does Android handle it?
Sometimes you need to answer calls from unknown numbers.
Google's call screening feature picks up the phone before it rings and asks the caller why they're calling. If they actually give a good reason, then it shows you the reason as text and you can decide whether to hang up on them or answer. https://support.google.com/phoneapp/answer/9118387
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
"Yeah yeah... installing your app now... oh there is an error... will try again..."
I started getting regular Coinbase login confirmation codes text messages with no attempts on my end
Same with my Microsoft account actually
I usually just ignore it but I assume someone is testing if my email can be used to login.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
The common spelling mistakes are there for a reason most of the time.
> a reason
Because people who read the message and think it's professionally written despite the spelling errors have a large overlap with people who will fall for the scam, at least far enough that money is transferred.
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
> They speak perfect English, sound very friendly, and have knowledge of your account balance.
.. and are former employees of Coinbase .. oh! just imagining!!
its a shame it'll never stop, and the criminal element is now a legal capitalism